Incidents Calendar

Notable recent developments in digital security

The Incidents Calendar is best viewed when JavaScript is enabled on your web browser.

2017 | 2016

Digital Security

    • 12 July

      US: Concerns raised over Kaspersky's gov't links

      Concerns over the possibility of links between security software company Kaspersky and the Russian government have resulted in the company being removed from a list of approved vendors for security contracts being offered by US governmental organizations.

      The concerns were first raised during testimonials given by US Intelligence chiefs at a congressional hearing in May. The company has denied any ties to the Russian government, and there has been no evidence released by the administration or intelligence officials of inappropriate links. Given the current strained relations between the two countries however, lawmakers have expressed fears that the security products could be targeted by state-backed actors to gain entry to US government systems.

    • 20 July

      US: Laptop ban on flights lifted

      The United States announced that its ban on electronic devices in the cabins of incoming flights from 10 airports in the Middle East has been lifted following changes in security procedures at the affected airports.

      The controversial ban prompted fears about the security of the devices that would need to be checked into the luggage hold, both physical and in terms of the data stored on the device.

      While the laptop ban has been lifted on US-bound flights from the Middle East, it remains in place for flights to the United Kingdom.

    • 22 July

      Microsoft sues Fancy Bear hacking group for trademark violations

      Microsoft announced it was pursuing a novel strategy for combating the hacking group identified as Fancy Bear (also known as APT28 and Strontium): suing them for trademark violations related to the command-and-control (C&C) domains used by the group to communicate with the infected machines under their control.

      The civil lawsuit filed by Microsoft in a US federal court hinges on the use of domain names that contain, or are similar to, trademarks associated with the company. While the use of such names is intended to lure unsuspecting users into believing the sites are legitimate Microsoft properties, the same characteristic could arguably leave the domain owners - that is, the hacking group - vulnerable to a legal challenge from the trademark owners.

    • 23 July

      Sweden: Massive Transport agency security lapse

      Sweden's government was left scrambling to deal with the fallout of revelations that confidential data had been exposed by a security lapse involving a database owned by the Transport Agency, which manages the records related to the country's defense infrastructure.

      The administration of the agency's database had been outsourced a couple years previously, but at the time did not have adequate safeguards implemented, resulting in personnel without security clearance having access to confidential details about Swedish citizens.

      The lack of appropriate security measures was also reportedly in contravention of existing national laws on data security and privacy, and has resulted in at least three officials being forced out and/or fined. The new head of the Transport Agency has said that it would take until fall of this year to properly secure the information.

    • 8 June

      Estonia to launch first 'data embassy'

      Estonia has reportedly signed a deal with Luxembourg to establish the world's first 'data embassy'. The bilateral agreement would grant the server room in Luxembourg where the data is to be stored the same rights and privileges as is currently accorded to more conventional embassies.

      The move is meant to address concerns about how to safeguard Estonia's critical, confidential data in the event of a major cyberattack on the country's online governmental services. This scenario became a more pressing issue following the 2007 cyberattacks against Estonia's online services and banks, which were widely reported at the time.

    • 8 June

      EU looks to expedite police data requests for tech firms

      Following a wave of terrorist attacks across Europe, the European Commission is reportedly considering options that would allow law enforcement agencies to obtain information more quickly from technology companies, particularly those based in other nations in the bloc.

      According to news reports, EU MPs would be asked to consider three options for expediting such requests: allowing agencies in one member state to directly ask an IT provider in another state for evidence without going through the country's law enforcement agency; requiring companies in one country to turn over data if requested by another nation's enforcement agencies; and in the most extreme or extraordinary cases where they do not know the actual servers' location, allowing authorities to copy data directly from the cloud.

      Following discussion of these options, the Commission would then formulate a proposal to be presented either later this year or in early 2018.

    • 13 June

      NSA report on Russia hacking of US elections leaked, published

      News outlet The Intercept broke the news of a report leaked from the US National Security Agency (NSA) that detailed investigations into the hacks targeted at the electoral machinery of the United States elections. The leaked report detailed attacks against a tech firm that provided the machines and software used in voting registration. The report comes on the heels of further revelations that hacks targeting voter data had taken place in 39 states, a far wider scope than had been previously thought.

      Publication of the report also coincided with the arrest of an NSA-affiliated contractor for removing classified material from a government facility.

    • 14 June

      US: 'North Korea behind recent hacks'

      A Technical Alert issued by the US Department of Homeland Security (DHS) and Federal Bureau of Investigations (FBI) has formally attributed a number of recent cyberattacks to hackers with backing from the North Korean regime.

      The attackers, referred to in the Alert as the Hidden Cobra group (or more commonly identified as Lazarus by security researchers), have been previously linked to the 2014 Sony Picture hack and the 2016 Bank of Bangladesh heist, among other notable attacks. More recently, there has been speculation that the same group is responsible for the WannaCry ransomware outbreak that erupted in May 2017.

    • 17 May

      UK: Activist charged for not giving device passwords

      The United Kingdom have formally charged Muhammad Rabbani, a director at the Cage human rights campaign group, with wilfully obstructing a search under Schedule 7 of the Terrorism Act 2000 for refusing to divulge the passwords for his electronic devices while crossing the UK border in 2016.

      The controversial Schedule 7 legislation gives police broad powers to search individuals and their devices without needing the approval of a judge, including requiring suspects to hand over the passwords for any devices present. According to news reports, Rabbani claimed his laptop had contained confidential information related to a human rights abuse case involving US intelligence services.

      This is reportedly the first time that a formal charge has been filed under Schedule 7 for failing to disclose passwords.

    • 28 May

      US: Laptop ban may apply to all flights to & from US

      United States Secretary for Homeland Security John Kelly reportedly said that the department was considering expanding an existing ban on laptops being carried in the cabins of flights from certain countries to the US to encompass all flights both into and out of the country.

      If instituted, the ban would mean that all electronics bigger than a smartphone would need to be checked in on international flights. The ban in its current state has already raised concerns about the security of electronics being transported in the checked in luggage, as well as worries about the security of any data stored on such devices.

    • 4 Apr

      US allows ISPs to sell user data

      The United States passed legislation repealing privacy regulations that prevented Internet Service Providers (ISPs) from selling the user browsing data they collect. The legislation essentially allows ISPs to sell the collected information to advertisers and other third-party agencies without requiring prior authorization or notification to the user.

      The legislation had prompted criticism from privacy and consumer rights advocates, who point out that many users are in no position to choose alternative ISPs if they disagree with the providers' policies. In response to these concerns, some ISPs have publicly announced that they would not collect personal information unless explicitly permitted by their users.

    • 5 Apr

      US considers extending 'extreme vetting' to more US visitors

      The Trump administration is reportedly considering expanding the practice known as 'extreme vetting' during the visa application process to include applicants from more countries, including the US's traditional allies such as Britain, France and Australia.

      'Extreme vetting', or demanding mobile phone contacts, social media passwords and other personal information supposedly to determine a visa applicant's potential security risk, has already been a target of major privacy and security concerns. Until now however, the intensive scrutiny was not considered necessary for nationals of the 38 countries listed under the US's visa waiver program, as the listed nations already have an cooperative data sharing arrangement with the US.

      News reports have been careful to note that the changes are only being 'considered', and the Department of Homeland Security has thus far not commented on the speculations.

    • 4 Mar

      Trump wiretapping claims lead to flat denial from GCHQ

      A political firestorm which was sparked when US President Trump claimed that he had been the subject of a 'wiretap' by the preceding administration during the presidential election campaign aroused further trans-Atlantic consternation when the White House press secretary quoted a media report alleging that the UK's intelligence agency GCHQ had been used to perform the surveillance.

      The allegations lead to an unprecedented public statement from GCHQ dismissing the claims as 'utterly ridiculous', breaking its longstanding practice of refusing to comment on media reports covering its activities. Statements from the UK government have also repudiated the claims.

    • 8 Mar

      WikiLeaks releases 'Vault 7' docs of CIA hacking tools

      WikiLeaks released a vast trove of documents (referred to as the Vault 7 cache) reportedly from the CIA covering their hacking techniques and tools. While there has been no confirmation from the agency that the documents are real, security researchers examing the contents analysts have publicly affirmed that they believe them to be authentic.

      Of particular note in the released documents are the existence of previously undisclosed vulnerabilities in a variety of consumer devices and software from companies such as Google, Apple, Cisco, and various antivirus companies including F-Secure. The affected companies have in turn issued statements on the impact of the revealed materials and recommendations for affected users.

    • 21 Mar

      US, UK 'bans laptops' on direct flights from 10 airports

      The US has banned laptops, tablets and other devices larger than a smartphone in carry-on luggage on direct inbound flights from specific airports and airlines. The ban was reportedly prompted by security fears after the government received intelligence that terrorist groups were trying to install explosives on such devices.

      The US ban affects 8 countries - Jordan, Egypt, Turkey, Saudi Arabia, Morocco, Qatar, Kuwait and the United Arab Emirates - and 10 airports. The UK followed suit shortly after, imposing a similar ban that affects flights from 6 countries - Egypt, Jordan, Lebanon, Saudi Arabia, Tunisia and Turkey.

      The ban has raised concerns over the security of any devices that would now need to be stowed in checkin luggage for the affected flights. The concern is particularly pressing for business travellers, who are faced with ensuring the integrity of any data stored on the devices while they are out of sight. Security observers have also questioned the effectiveness of the ban itself.

    • 10 Feb

      US: Microsoft allowed to sue gov't over secret gag orders

      A US federal judge has determined that Microsoft has sufficient standing to sue the US Department of Justice (DOJ) for the right to inform its users when their data has been subjected to a legal data demand from the government.

      Currently, legal demands for user data made under the Electronic Communications Privacy Act (ECPA) are also accompanied by gag orders which prevent the affected companies from alerting their users to the  requests. These gag orders frequently have no end date, a situation which the companies say violates the Fourth Amendment rights of their users. The DOJ in turn has argued that the companies suffer no material harm from not providing such notice to their users, and that the companies themselves have no standing to pursue Fourth Amendment claims on behalf of others.

      The judge's decision to allow Microsoft to proceed with its lawsuit has been hailed as a promising development by privacy advocates, who remain concerned about secretive government overreach to data held in cloud storage.

    • 20 Feb

      Concerns raised over US border phone searches

      Following the controversy over the travel ban initiated by President Trump, concerns have been raised over the impact on privacy of the vetting procedures used by US border officials, especially after multiple reports surfaced of travelers (both US citizens and non-citizens) being pressured to give their phone or device passwords in order for immigration officers to view the contents.

      The concerns were also heightened by comments from Department of Homeland Security (DHS)Secretary John Kelly that foreign visa applicants may be required to provide the passwords to their social media accounts, as part of vetting procedures.The news reports and controversy have lead at least one US Senator to launch legislation that would require border agents to obtain a warrant before they can search devices.

    • 6 Jan

      US: Election systems designated 'critical infrastructure'

      Following the contentious 2016 US presidential elections, which was marred by claims of election rigging and cyber attacks, the nation's election infrastructure has been officially designated as 'critical', alongside other sectors such as finance, food and agriculture, and communications. The designation formally gives responsibility to the Department of Homeland Security (DHS) to prioritize and protect the identified sectors.

    • 26 Jan

      US executive order prompts Privacy Shield concerns

      US President Trump's executive order, Enhancing Public Safety in the Interior of the United States, which expressly excludes non-US citizens from being granted privacy protections under the US Privacy Act, have raised concerns over the standing of the US-EU Privacy Shield legislation, especially among the tech companies who would be hardest hit if the legislation was dismantled.

      European legislators, who have to date been stringent in overseeing the privacy of European data being held on servers belonging to US tech companies, had already scuttled the preceding Safe Harbor act after the European Court of Justice ruled that the US had failed to properly heed European privacy requirements.

      While some legal commentators have noted that the executive order does not appear to affect Privacy Shield, the uncertainty has prompted calls from the tech industry for more overt assurance from the US government.


    • 13 July

      EU: Employer guidelines to view staff's social media posts

      The Article 29 Working Party, which advises on data protection issues for the European Union, issued guidelines related to employers investigating a prospective employee's social media presence.

      Under the guidelines, an employer would need to show that they have 'appropriate legal' grounds to consider the potential candidate's social media posts, and can only review content that would be relevant to the position being applied for. The same guidelines would also apply to existing employees.

    • 14 July

      US: 'Border agents can't search cloud data, can search local device data'

      The US Customs and Border Protection agency issued a statement that its legal authority allowed it to access "information that is physically resident on an electronic device transported by an international traveler"; this authority however did not extend to information stored solely on remote servers. The clarification was made in response to questions posed to the agency by a Senator.

      The statement was issued at a time when more aggressive device and social media searches by US border security agents have raised concerns about privacy, not only among foreign travellers to the country, but also for US citizens and legal residents.

    • 18 July

      FBI warns of privacy concerns for Internet-connected toys

      The Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) issued a rare consumer alert warning parents of the privacy and data security risks associated with Internet-connected children's toys. Many 'smart toys' include recording and playback functions which store the saved data on a remote server, potentially giving an attacker access to personal recordings or an easily overlooked access point to the home network.

      While the Children's Online Privacy Protection Act (COPPA) requires companies to obtain parental permission before collecting data from a user under 13 years old, security precautions for children's toys are not currently considered a major priority for manufacturers. In the past few years, there have been a number of incidents where toys were found to be collecting children's data without their parents' knowledge or permission.

    • 24 July

      US: Kansas gov't DB hack exposed data of 5.5M citizens

      A server owned by the Kansas Department of Commerce reportedly suffered a breach that resulted in the Social Security Numbers (SSNs) of almost 5.5 millions citizens being exposed. The server hosted a database for the America's Job Link Alliance-TS service, which handles state-sponsored job search sites that cater to users in 16 states.

      According to reports, the Federal Bureau of Investigation was called in to investigate soon after the breach was discovered in March, though news of the breach itself was only made public after a Freedom of Information (FOI) request was made by journalists in May.

    • 19 June

      Details of 198M US voters exposed

      A security researcher announced the discovery of confidential records for over 198 million voters in the United States, which were found to be accessible and unprotected on the Internet. The information was gathered and stored by the Deep Roots Analytics research company, and a misconfigured database on an unsecured Amazon S3 storage server is thought to be the cause for the exposure, rather than an attack.

      The data exposure was responsibly disclosed by the security researcher, which lead to the server being secured and reconfigured before the incident was reported to the public. News reports have characterized the incident as the 'largest ever' leak of such information, as well as noting the fact that the company is affiliated with the Republican political party.

    • 12 May

      HP laptops with 'keylogger' installed reported

      Security researchers reported their discovery of an audio driver, found on some HP device models, with a debugging feature that effectively functioned like a keylogger. The driver was found to be quietly recording all keystrokes entered on the affected devices and storing the information in an unencrypted file on the laptop's hard drive; data that would have included such sensitive information as login credentials and banking information.

      The audio driver, which was developed by Conexant, was reportedly preinstalled on more than two dozen laptop and tablet models, including the HP Elitebook and ZBook. HP announced that it has since issued a patch to fix the issue.

    • 19 May

      Twitter kills 'Do Not Track' feature

      Twitter recently announced a number of changes to its privacy and data usage policies which have raised concerns among privacy-conscious users. The changes include discontinuing support for the Do Not Track (DNT) browser feature and extending the life of its tracking cookies. The revisions also include giving the user more transparency and control over the information it collects and shares with third parties.

    • 31 May

      Germany: Parents denied access to teen's Facebook account

      A German appeals court has ruled that the parents of a teen who was killed by a train in 2012 did not have any rights to access the child's Facebook account. The parents had sought access to the account to determine if their child had been bullied or suicidal; Facebook had however rejected their request due to concerns that granting it could set a precedent and compromise the privacy of other account holders.

      In the first case filed by the parents, a regional court had ruled in the family's favour to allow them access to the account; in the following case however, the appeals court ruled that the teen had entered a contract with Facebook in creating the account which had ended with the death.

    • 3 Apr

      Fancy Bear hacking group steal more athlete drugs data

      The International Association of Athletics Federations (IAAF) announced that it had been hit by a cyber-attack that may have compromised some of its stored medical information for international athletes.

      The organization attributed the attack to the hacking group known as Fancy Bear, which is believed to also be behind previous attacks on the World Anti-Doping Agency (WADA) and the US presidential elections. The group is also believed to have ties to Russia, though the nation has repeatedly denied the allegations.

    • 15 Apr

      Shadow Brokers' NSA leak: Windows exploits, SWIFT banking hacks

      Hacking group the Shadow Brokers released documents allegedly stolen from NSA that contain exploits for previously unknown vulnerabilities in various Windows operating systems, including a framework that could be used to load and run the exploits.

      Also included in the release was code that appear to show the NSA hacking deep into banks, particularly in the Middle East region. According to reports, the agency focused on accessing at least one of the regional service bureaus tied to the SWIFT global banking network, though the named bureau has since denied the reports.

    • 19 Apr

      Intercontinental data breach expanded from 12 to 1,000 affected hotels

      Following an internal investigation, the Intercontinental hotel chain announced that over 1,000 of its hotel properties had shown signs of having data-harvesting malware installed on their point-of-sale (POS) systems. The number of affected properties is a dramatic increase over the 12 that the chain initially thought had been compromised.

      According to reports, the malware was active for three months at the end of 2016, and was designed to steal data from a card's magnetic strip. It was also reported only in hotels based in the US and Puerto Rico, though the hotel chain has said it will be investigating its other international properties.

    • 15 Mar

      33M records of US corporate contacts leaked

      A database containing over 33 million records of contact details for personnel in a wide swathe of corporations and government bodies has reportedly been leaked. According to news coverage, the database has been confirmed as belonging to Dun & Bradstreet, a business services organization that acquired the database in a 2015 deal with NetProspex.

      A statement from the company itself claims that no breach of its internal systems occurred, and that the database contains "generally publicly available business contact data, used for sales and marketing purposes."

    • 24 Mar users accidentally exposing personal info

      A security researcher discovered that thousands of users had inadvertently left their passwords and other sensitive personal data publicly viewable for months on the popular file-sharing service from Microsoft.

      The service, which uploads all documents as publicly-viewable by default, also offers options for more limited access which restrict viewing to a selected audience; the research however indicated that many users uploaded sensitive documents with default settings that left them viewable to any users browsing the site using a built-in search engine.

      Following the news reports, Microsoft briefly took down the site's search engine, though the feature has since returned.

    • 28 Mar

      US Senate, Congress allows ISPs to sell user browsing history

      Both the US Senate and Congress have voted to repeal regulations that required Internet Service Providers (ISPs) to obtain user consent before selling on the sensitive personal data they handle and collect, including user browsing histories, to advertisers and other third-party agencies.

      The repeal has lead to concerns about how ISPs could use the data, with privacy advocates worried that the material could be sold on without the user's knowledge or consent. In response, some US states have begun introducing legislation that would require ISPs to obtain written permission from their users before the company could sell the collected data.

    • 16 Feb

      Yahoo!: Forged cookies used to hack some accounts

      Yahoo! has again returned to the headlines for a security incident, as it sent email notifications to some users informing them that their account had been accessed as recently as 2015 or 2016 using forged cookies. The company had last year quietly announced that it had suffered an data breach exploiting the cookie-related vulnerability in a filing with the Securities and Exchange Commission, but this is the first notification of that particular breach to be sent to the affected users themselves.

      Verizon, which is in acquisitions negotiations with the embattled Yahoo!, have since announced that the agreed price for the deal has been reduced by $350 million.

    • 17 Feb

      Germany: connected doll 'illegal spy device'

      Germany's telecommunications regulator the Federal Network Agency (Bundesnetzagentur) have urged parents to get rid of the Cayla Internet-connected dolls, after ruling that the toys were legally considered 'surveillance devices'. The toys themselves have been banned in the country.

      Germany is considered one of the most privacy-conscious countries in Europe, and considers any device that can record and transmit audio or video without detection to be unlawful. Security researchers have demonstrated that the Bluetooth connection used by the doll can be hacked to eavesdrop on persons within the toy's vicinity.

    • 24 Feb

      'Cloudbleed': Cloudflare bug leaks user data

      Google researchers announced the discovery of a bug, dubbed 'Cloudbleed', in the Cloudflare web hosting hosting and security infrastructure, which has been leaking private user data for months. The infrastructure, which is owned and managed by Cloudflare, is quietly used in the background by hundreds of thousands of websites to improve their traffic handling capabilities, particular popular services such as OKCupid, Uber and Fitbit.

      The bug, in simple terms, unintentionally loaded the private data of other users in a webpage's source code, where it is not visible from normal users. All reports have indicated that the data is not currently being exploited.

      In response, Cloudflare has been open, prompt and transparent in fixing and addressing the issue. They have also urged users to change all passwords, strictly as a precaution.

    • 28 Feb

      Cloudpets connected toys data breach

      Security researcher Troy Hunt reported that the personal data of over half a million customers who had bought Internet-connected toys had been compromised due to a poorly secured database.

      The CloudPets toys, which could be connected via Bluetooth to a phone app that allowed parents to leave audio messages for their children, reportedly stored user info and voice messages on a public-facing database with weak security. Though the database has since been removed from public access, the researcher noted that multiple demands for ransom had been left by then. Warnings sent to the Spiral Toys company selling the toys were reportedly ignored, and no notice about the data breach have yet been provided to affected users. Spiral Toys have also denied the breach, saying that no recordings had been stolen.

    • 13 Jan

      900GB Cellebrite data lost to hack, some tools published online

      900GB of data were reportedly leaked from Cellebrite, the data extraction company best known for . The stolen data was said to include customer information, technical product details and also some of the evidence the company was able to retrieve from devices.

      The company itself has confirmed that it detected "unauthorized access" on an external server, but was "not aware of any specific inicreased risk to customers as a result of this incident".

      A couple weeks later, the hacker publicly released (a part of) the stolen data to Pastebin. The released data mainly focused on tools to hack iOS but there are also references to Samsung and Blackberry. Some of the iOS tools are nearly identical to software written by the jailbreaking scene.


    • 7 July

      US: 'Hackers targeted US energy sites'

      News reports indicate that the US Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) have been seeing a number of cyber attacks targeting organizations in the US energy sector, including a nuclear power plant in Kansas. A joint statement from the federal agencies affirmed that 'there was no indication indication of a threat to public safety".

      While the reported probing of energy-related companies is concerning, security researchers have been quick to point out that it is hardly unexpected, nor limited to the US. In addition, all reports so far have indicated that the intrusions have been limited to the organization's business network, which is separate from the isolated and often highly complex and obscure industrial control systems used to physically manage the actual machines in the targeted power plants or factories.

    • 18 July

      UK: 'GCHQ warns hackers targeting energy sector'

      A report from the National Cyber Security Centre of the UK's GCHQ intelligence agency stated that cyber attackers are targeting facilities in the country's energy sector, which include not only the actual power stations but also the industrial control system providers and services organizations that support them. According to news articles covering the report, the agency believes that at least some targeted organizations or systems may have been compromised.

      The attack are part of what is seen as a recent wave of activity, which has also seen companies in other sectors such as industrial control, engineering and water being quietly probed or breached. Similar activity has also been reported in other countries, most notably the US.

    • 21 July

      UAE denies claims it hacked Qatar sites

      The United Arab Emirates (UAE) has denied news reports that it was behind a cyber attack that took place over May 24-25 and affected the Qatar News Agency (QNA). The Qatari government has publicly claimed that the cyber attack 'originated from the UAE'.

      Both the UAE and Qatar are involved in a diplomatic standoff and blockade, over accusations that the former is supporting terrorism and undermining the stability of its neighbors.

    • 3 May

      'Google Docs' phishing campaign reported

      A phishing email campaign has been reported that uses a legitimate-looking Google Docs link to lure users into granting permissions to a malicious app disguised as Google Docs. If the unsuspecting user does so, they effectively grant access to their Gmail account to the malware.

      The phishing emails are styled to look very similar to the notification emails that legitimate Google Docs apps send out. Clicking on the included link however would lead to a dialog asking the user to allow an app named Google Docs (and using the actual Google Docs icon) to 'read, send, delete and manage your email'. This is however a malicious third-party app that simply appropriated the Google Docs name and branding. If the user grants access, the app then uses the account to send out further phishing emails.

      Google has since disabled the app, removed related phishing pages and is investigating the issue further.

    • 6 May

      French electoral campaign hacked

      The campaign team for French presidential candidate Emmanuel Macron announced that they had been the target of a hacking campaign, which they believe to be an attempt to undermine the outcome of the French presidential elections in early May. The annoucnement follows the release of a cache of documents and emails online, which were allegedly stolen from the campaign team in the lead-up to the elections.

      Unlike hacking incidents that affected the US presidential elections, news of hack in France has been relatively muted, as the press respected a legal blackout on election reporting during the voting period. The impact of the hack on the elections also appears to have been almost negligible.

    • 15 May

      WannaCry ransomware outbreak spreads globally

      The largest ransomware outbreak in history exploded over Easter weekend, with the most notable infections reportedly affecting hospitals, public transit services and telecommunications companies, as well as innumerable businesses and home users. The ransomware, variously known as Wanna, WCry, WannaCry, WannaCryptor and Wana DecryptOr, targeted Windows machines running versions prior to Windows 10, encrypted files stored on the device and demanded payment in Bitcoin for the decyrption key.

      WannaCry was particularly notable for spreading using the EternalBlue exploit of Windows' Sever Message Block (SMB) that was first revealed in a dump of alleged material from the US National Security Agency (NSA) by hacking group The Shadow Brokers. Another notable aspect of the ransomware is the presence of a 'kill switch' feature, which required the malware to contact a domain before it could proceed with the infection. A security researcher was able to register the contacted domain, effectively slowing down the initial spread and impact of the ransomware. Later WannaCry versions were discovered without the kill switch, but these never gained as much traction as the initial variant.

      In response to the outbreak, Microsoft issued emergency patches for both the current supported Windows versions and for unsupported ones such as Windows XP and Windows Server 2003. Since the outbreak however, news reports have noted that almost all infected machines were running Windows 7.

    • 5 Apr

      'Cloud Hopper' attack reported

      Security researchers reported on a hacking group they named 'Operation Cloud Hopper' that targets IT service providers and other third-party services as a stepping stone towards compromising the victim's client companies, which are the hacking group's real targets. This form of indirect, multi-stage compromise is also known as a 'supply-chain' or 'upstream' attack.

      According to the report, the eventual aim of the hacking is to steal trade secrets from the targeted companies.

    • 10 Apr

      Hackers set off Dallas' emergency sirens

      Residents of Dallas, Texas were forced to endure a night of blaring noise when hackers managed to repeatedly trigger the city's 156 emergency sirens, before emergency workers were finally able to deactivate the system.

      Subsequent news reports indicated that the hack was due to a 'radio issue', with speculation being that the unknown intruders had managed to find and broadcast the radio signal used to centrally control the siren system, rather than a direct computer hack.

    • 12 Apr

      Callisto Group targeting East European orgs

      F-Secure Labs released a report detailing its investigations of the hacking group known as Callisto Group, an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists.

      The group's primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions. The group is currently still active.

    • 15 Mar

      Website attacks exploiting zero-day in Apache Struts 2

      Security researchers reported the discovery of a zero-day vulnerability in the Apache Struts 2 framework, which could allow an attacker to remotely execute code on an affected web server. Exploit code for the flaw was said to be publicly available on hacker forums for some time prior to the report.

      Shortly after an exploit for the flaw was added to the Metasploit framework, an increase in scans for and attacks against servers affected by the vulnerability was observed. A patch for the CVE-2017-5638 flaw has been quickly issued and server administrators are urged to apply it as soon as possible.

    • 16 Mar

      FBI briefing hints spearphishing lead to Yahoo! breach

      A briefing by the Federal Bureau of Investigations (FBI) on the massive Yahoo! data breach revealed that their investigations indicated that the intrusion likely began with a spearphishing attack on a single "semi-privileged' employee.

      According to news reports, the initial targeting lead to the attackers obtaining the employee's credentials, which gave them access to the company's internal network. The attackers were then able to move laterally through the network until they could reach targets of interest, as well as discover the tool which allowed them to forge cookies that granted access to the targeted accounts.

    • 26 Mar

      Hackers demands ransom from Apple, alleges mass iCloud account hack

      A hacker group calling itself the Turkish Crime Family claims they have access to 250 million iCloud accounts, and are demanding a ransom of $700,000 from Apple in return for not locking the users out of their own accounts on 7 April. For its part, Apple has said that there have been no breaches of its systems, and that the email account details the group had used to demonstrate its access appeared to be culled from 'previously compromised third-party sources'. 

      While there has been no solid evidence thus far that the group has the breadth of access that it claims, news reports have recommended that users change their passwords and enable two-factor authentication on their accounts, just in case.

    • 8 Feb

      In-memory malware targeting banks, other enterprises

      Fileless, in-memory malware have been reported in 140 enterprise networks in over 40 countries. Once considered the province of nation-state actors for espionage, in-memory malware appears to now be within the reach of cybercriminals. Of particular note is its use against banks, which have been under increasingly public cyber attack in the last few years.

    • 10 Feb

      Hackers turn university's IoT devices on its own network

      Following complaints of network inaccessibility, administrators at an American university discovered that their network contained over 5000 IoT devices - from smart lightbulbs to vending machines - which had been infected by a botnet.

      The devices had fallen victim due to using default or weak passwords, which allowed attackers to brute-force and infect them. Once roped into the botnet, the IoT devices made hundreds of DNS lookups every 15 minutes, causing the bandwidth issues.

    • 17 Feb

      Android malware used to spy on Israeli soldiers

      Researchers reported the discovery of ViperRAT malware targeting the Android devices of Israeli military members. The malware is capable of monitoring activity and harvesting content from the device, most notably images and audio files, as well as text and contact data. According to reports, the malware is distributed using social engineering tactics.

      The group operating the RAT is not explicitly identified in the reports, though speculation based on analysis of the malware itself is that they operate out of the Middle East.


    • 14 July

      Retefe banking-trojan targets Windows and Mac users

      F-Secure researchers noted a spam run targeting users in Switzerland and Germany that was being used to spread the Retefe banking-trojan; unusually, this distribution campaign targeted users on both Windows and MacOS platforms.

      For this run, the spam emails were each accompanied by specially-crafted files that included a zipped Mach-O program, which runs on MacOS, and either an XSLX or DOCX document file, for Windows systems. If any of the attached files are sucessfully run, the Retefe banking-trojan is installed. Once active on the machine, the malware targets connections to specific Swiss and Austrian banking portals.

    • 18 July

      Petya.F outbreak: Some businesses still impacted weeks later

      Weeks after the Petya.F outbreak spread around the world at the end of June, some companies are still feeling the aftermath. News reports indicate that a handful of affected hospitals and transportation companies are still struggling to resume normal business.

      Reportedly, the organizations had to cope not only with restoring the data or machines directly affected by the outbreak, but also with the backlog of business that needed to be addressed even while remediation was taking place.

    • 10 June

      Malware spreading via mouseover links

      Attackers are reportedly using a new technique to spread banking fraud malware (known as Zusy or Gootkit), which is silently installed on a user's machine when they hover a mouse pointer over a link embedded in a malicious PowerPoint file.

      Unlike more common attack methods that require more user interaction, this delivery technique only requires the user to open the PowerPoint file and then hover the mouse over a hypertext message that says 'Loading...Please wait.' The action triggers the Windows PowerShell tool, which is then directed to download and install the malware on the computer.

      According to reports, users with the latest Office versions that have Protected View enabled would see a warning message when opening the malicious PowerPoint file, though social engineering tactics may lead them to disregard the warning. Users with older Office versions without the Protected View security feature would see no warning notifications.

    • 12 June

      2016 Ukraine power grid hacked by Crash Override/ Industroyer

      Security researchers reported the discovery of malware, variously identified as Crash Override or Industroyer, that is believed to have been used to disrupt part of the Ukrainian electrical grid for a short time in 2016.

      The researchers released their analysis of the malware, which they characterized as a custom-designed, scalable toolkit that could be used to attack other utility systems, potentially allowing it to be used in much more devastating attacks.

    • 13 June

      Trickbot's erratic targeting, spreading via Necurs botnet

      Security researchers noted erratic changes in the number and geographical locations of banks being targeted by the Trickbot banking trojan, which was previously focused on 109 banks round the world. For a period of time, the list of targets tripled to 333 organizations in multiple countries, including new ones such as Switzerland, the Netherlands and Finland. Following the brief expansion of targets, the list was subsequently cut down to its original number, then expanded yet again to about 235 banks.

      Another notable change in Trickbot's distribution is its use of the Necurs botnet to spread; the botnet was previously observed only spreading Dridex and Jaff.

    • 16 June

      Vault7 leak: CIA firmware infects Wi-Fi routers

      Wikileaks has released another round of documents from its Vault7 leak of materials allegedly from the US Central Intelligence Agency (CIA). The latest release details malware known as CherryBlossom, which reportedly infects and eavesdrops on Wi-Fi routers from 10 manufacturers.

      The released information includes the user-guide for the malware and indicators of compromise (IOC) that could be used by administrators to determine if their routers have been hacked.

    • 9 May

      Mac DVD ripper tool site downloads Photon backdoor

      The website of an open source DVD ripping utility program for Mac was reportedly hacked to download a backdoor onto users computers that could steal passwords keychains and password vaults.

      A mirror site for the popular Handbrake program was found downloading a backdoor known as Proton, disguised as a fake copy of the desired software. When launched, the downloaded file would ask the user to enter their Mac administrator password, which was then sent to a remote server controlled by the attackers.

      The malicious file has since been removed from the affected site; users who may have downloaded Handbrake software during this period are advised to verify their download and if necessary, remove the file and change their passwords.

    • 16 May

      Adylkuzz crypto-currency botnet uses NSA-linked exploits

      Security researchers reproted the discovery of a cryptocurrency-mining botnet that, like the WannaCry ransomware, ues NSA-linked exploits to infect computers. According to the reports, the botnet uses both the same EternalBlue exploit as WannaCry, as well as a backdoor named DoublePulsar, to gain access to computers, but instead of downloading ransomware onto the affected machine, installs a mining software known as Adylkuzz.

      The botnet appears to have started earlier than the WannaCry epidemic, most likely at the beginning of May. The botnet was however successful at staying under the radar for some weeks, both because it spread using a then-unpatched vulnerability, and because signs of its infection were far less visible.

    • 23 May

      EternalRocks worm spreading using NSA-linked exploit

      A security researcher reported the discovery of a new worm, dubbed EternalRocks, which uses the same vulnerability in the Windows Server Message Block (SMB) protocol that WannaCry targets to spread itself. Unlike the ransomware, the worm uses the affected machine to continue spreading itself.

      In addition to the EternalBlue exploit, the worm also uses 6 other exploits also revealed in the dump of alleged NSA content, including the ones codenamed EternalSynergy, ArchTouch and DoublePulsar.

    • 20 May

      Uiwix ransomware uses NSA-linked EternalBlue exploit to spread

      Following on from WannaCry, security researchers have reported the discovery of another ransomware, named Uiwix, that uses the same NSA-linked EternalBlue exploit of the Windows Server Message Block (SMB) protocol to spread. In addition to encrypting files on a machine, this new threat also includes code to steal browser login, file transfer protocol (FTP), email and instant messaging app login credentials.

      Unlike its predecessor however, Uiwix does not write files to the system and instead runs in the memory, making it harder to analyze. Another indiccation that the malware is being designed to avoid detection and analysis is its apparent ability to recognize the present of a virtual machine (VM) or sandbox, a common software found on security researcher's machines.

    • 30 May

      Android Judy malware reported

      Security researchers reported finding almost 50 Android apps in Google's Play Store that includes code to perform fraudulent ad-clicking behavior. According to reports, most but not all of the affected apps were from a South Korean developer also noted for publishing games that include a character called Judy. The affected apps are reported to have been downloaded up to 36.5 million times.

      The apps were apparently passed by the Play Store's Bouncer code verification system because at that point, they did not contain the malicious code. Once installed on a device however, the app silently registers the device on a remote server, which then downloads the ad-clicking software on it. When run, the apps would then send the devices to a webpage where it then generated fraudulent clicks on adverts placed on the page.

      The apps have since been removed from the Play Store.

    • 4 Apr

      Pegasus spy trojan now on Android

      Researchers reported the discovery of the sophisticated Pegasus spy trojan on devices running the Android mobile platform. The malware was previously only available for iOS, and was first discovered being used to monitor the devices of activists in the Middle East, possibly by a nation state.  

      The Android version of the Pegasus malware reportedly has the same capabilities as its iOS counterpart, including capturing keystrokes and live audio, as well as capturing data sent in installed apps and email messages.

    • 7 Apr

      Brickerbot botnet makes IoT devices unusable

      Security researchers reported the discovery of a worm, dubbed Brickerbot, that seeks out and infects insecure IoT devices which are susceptible to the same default login credentials used by the Mirai botnet. Unlike other botnets, the Brickerbot malware deliberately targets the storage component of the infected devices, issuing commands that damage the storage sufficiently to make the device completely unusable - essentially 'bricking' it.

    • 14 Apr

      'Rensenware' demands victims play game instead of paying

      In a novel twist, a new ransomware identified as Rensenware encrypts files on the affected user's device, then demands that they "score 0.2 billion in LUNATIC level" on an old shoot-em-up PC game, TH12 ~ Undefined Fantastic Object. While no monetary payment is required, Rensenware is no less troublesome to deal with, as it requires that the user gain a high score in a notoriously difficult game.

      Even more unusually, Ransenware's author Tvple eraser has reportedly apologized for its release, claiming that the malware had been created as a 'joke'. The author also released a tool that can be used to trick the ransomware into believing that the high score has been achieved, and thus obtain the decryption key.

    • 19 Apr

      Hajime 'grayhat' botnet preemptively infects IoT devices

      A so-called 'grayhat' botnet has been reportedly targeting and infecting IoT devices that are susceptible to the Mirai botnet in order to prevent the rival botnet from taking control of the vulnerable devices. The Hajime botnet, as it is known, searches the Internet for accessible devices that use the same default login credentials that Mirai looks for, and if found, infects them and closes the ports used by Mirai to spread.

      Despite the arguably positive aim of the Hajime botnet, security experts have cautioned that, even after overlooking the legal violations involved, the botnet's actions are at best a temporary and inadequate fix to the underlying security issues posed by insecure IoT devices.

    • 6 Mar

      StoneDrill malware reported

      Researchers reported the discovery of a new malware family designed to wipe all accessible files on the system, and is also capable of spreading itself to other accessible machines in the network. Named StoneDrill, the new malware bears similarities to existing Shamoon malware, though reports indicate that the two malware are more likely to have been the products of two separate groups.

      The StoneDrill family mostly appears to focus on organizations in Saudi Arabia, though at least one instance of it appearing in Europe has been noted, indicating either an unintentional infection or an expansion of scope. 

    • 14 Mar

      Supply chain attack 'pre-installs' malware on 36 Android phones

      Security researchers reported discovering malicious apps on 36 different models of 'factory-fresh' Android phones. The apps were not part of the official ROM provided by the vendors, indicating that the devices had been infected somewhere along the supply chain or manufacturing process.

      Affected models were mostly from the Samsung Galaxy range, as well as specific models from the Xiaomi, Lenovo, Oppo and Asus brands. The pre-installed apps were mainly designed to either silently collection information or display ads, though at least one was reportedly a ransomware.

    • 15 Feb

      APT28 Xagent backdoor for Mac reported

      Security researchers reported discovering a new version of a malware linked to a known cyberespionage goup which can target OS X systems in order to steal passwords and screenshots, execute files and so on.

      The emergence of a Mac version of the Xagent backdoor, which is already operable on Windows, Linux and Android, indicate the expanding scope of the APT298 hacker group, which has been previously linked to the 2016 hack of the US Democratic National Committee, among other alleged cyber attacks.

    • 16 Feb

      Flaws found in Android 'connected-car' apps

      Security researchers reported finding security flaws in the Android 'connected-car' apps on offer from seven car manufacturers that could allow hackers to locate or access a connected car through the app itself. The apps were not named in the report.

      According to the researchers, the apps' code lack basic security protections, potentially allowing attackers to tamper with the programs in order to affect the connected car. The researchers have stressed they have not found any real-world attacks targeting the flaws they note, and compare the nascent state of 'connected-car' apps to the more secure banking apps, which rapidly incorporated security layers into their design in response to repeated attacks.

    • 10 Jan

      Spora ransomware targets Russian users

      A new ransomware variant dubbed Spora targets Russian customers. The malware arrives to the system by spam pretending to be an invoice from an accounting software with .hta downloader attached (filename: "Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta").

      This ransomware differs from other variants in that it asks for a relatively small ransom, and provides options for paying up. The affected users can choose from only restoring files, removing the malware, purchasing an immunity, or all previously mentioned options for a cheaper package price. This kind of revenue model is first of it's kind with ransomware.

    • 18 Jan

      Fruitfly/Quimitchin backdoor targets Mac OS X and Linux

      Researchers from Malwarebytes discovered a new backdoor malware dubbed as Fruitfly/Quimitchin targetin Mac OS X and Linux platforms. The comments and imported libraries suggest that the malware has been around for multiple years, and have resided on the compromised system for at least two years. The malware was discovered only recently due to tightly targeted systems all belonging to biomedical research institutions.


    • 20 July

      'Devil's Ivy' bug exposes IoT devices to attack

      Security researchers reported the discovery of a buffer overflow vulnerability in the popular gSOAP code library which could leave Internet-connected apps or devices using it vulnerable to remote code execution. gSOAP is used in various consumer devices, including security cameras.

      The flaw, named Devil's Ivy by the researchers, centers on the way the code library handles large XML files sent to a vulnerable system's web server, and if exploited could allow the attacker to change network settings or reset the device to factory default.

      While Genivia, the company maintaining the code library, has already patched the flaw, the library's widespread use in consumer devices - and the poor patching practices of many of the device manufacturers - means that many affected devices are likely to remain unpatched.

    • 5 Apr

      Broadcom Wi-Fi mobile chip flaw reported; Apple, Google issue fixes

      Researchers with Google's Project Zero team reported the discovery of a vulnerability in the Wi-Fi chip produced by Broadcom and used in many mobile devices. Theoretically, the flaw could be exploited to allow an attacker to silently take control of a vulnerable device that is logged onto the same Wi-Fi network as the attacker.

      The news prompted Apple and Google to issue fixes for the flaw, which were published in their iOS 10.3.1 and April Android Security bulletin updates, respectively. The latest update would not apply to users of older iOS models, which are no longer supported. Meanwhile, users of Android models that are not directly updated by Google would need to wait until their relevant device manufacturer issued an security patch addressing the flaw. In the meantime, users are advised to disable their device's Wi-Fi functionality when not on a known network.

    • 9 Apr

      Word zero-day exploited to spam millions with Dridex trojan

      A recently reported zero-day vulnerability in Microsoft Word is being leveraged to distribute the Dridex banking-trojan. According to security researchers, millions of booby-trapped Word documents have been observed being sent out as attachments to spam email messages.

      Unlike most such document-based attacks, use of the zero-day flaw means that no further user action (such as enabling macros) is required once the attachment is opened. Instead, opening the document leads to the vulnerability being exploited, which then automatically executes the embedded Dridex malware. The trojan itself looks for and harvests details related to online banking accounts.

    • 15 Mar

      Flaw reported in WhatsApp, Telegram web apps

      Security researchers privately reported a flaw in the browser-based versions of popular mobile messaging apps WhatsApp and Telegram, which if exploited could allow attackers to send malicious code embedded in an image file. Following the disclosure, both companies quickly issued patches to close the loophole.

      Coverage of the incident has highlighted that in comparison to a smartphone, the web browser remains a more vulnerable channel for communication, even for encrypted messaging applications.

    • 20 Mar

      Cisco: 0-day revealed in 'Vault 7' CIA docs leak

      Cisco announced that its perusal of the documents dumped in the 'Vault 7' WikiLeaks release has turned up a zero-day vulnerability affecting their IOS and IOS XE software. The CVE-2017-3881 flaw could, if exploited, allow an attacker to remotely run code with elevated privileges on affected devices, which include hundreds of router and switch models sold by the company.  

      According to Cisco's own security advisory, no workaround exists for the vulnerability, though 'disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector.'

    • 22 Mar

      DoubleAgent exploits Application Verifier

      Security researchers publicized a method to create launch points in Windows by leveraging in-built Application Verifier mechanisms. An attacker with admin privileges could use such methodology to replace a legitimate DLL from Microsoft with a malicious one, and thus hijack any process running under Windows.

      While the original report focused on hijacking antivirus applications, the attack method is reportedly able to target any other application, including the operating system itself. While some companies have issued patches to address the attack method, others have highlighted that an attacker would require both physical access to the targeted machine and admin privileges on it, significantly reducing the severity of the attack method.

    • 29 Mar

      Flaws in LastPass reported

      Google security researchers privately reported three vulnerabilities in popular password manager LastPass in the span of a month, with the first two related to extensions used by the manager in different browsers and the third one being a 'unique and highly sophisticated' vulnerability that could allow malicious sites to steal passwords.

      LastPass quickly issued patches for the first two flaws and confirmed that they are working on a fix for the newest reported vulnerability. In the meantime, the company has also recommended that its users use the LastPass Vault to launch sites until the third flaw is fixed, and where possible, enable two-factor authentication.

    • 20 Feb

      Project Zero discloses Microsoft zero-day

      Google's Project Zero announced its discovery of a zero-day vulnerability (CVE-2017-0038) in Windows Graphics Driver Interface (GDI) after Microsoft failed to address the issue within the standard 90-day window Project Zero provides for disclosing and fixing vulnerabilities.

      According to reports, the announcement had been timed to coincide with Microsoft's February Patch Tuesday release, but the updates were unexpectedly postponed for a month due to a 'last-minute issue'.

    • 23 Feb

      Linux patches decade-old DCCP flaw

      A patch has been released for a recently discovered vulnerability (CVE-2017-6074) in the code for Linux's Datagram Congestion Control Protocol (DCCP), which is enabled on many Linux distributions. According to news reports, the vulnerability was introduced in 2005 when DCCP was first incorporated.

      Administrators are advised to check if their installations are vulnerable and apply the relevant patches as soon as possible. A workaround to manually disable the DCCP kernel module is also available.

    • 22 Feb

      Adobe, Microsoft release updates for Flash flaws

      Adobe and Microsoft both released security updates this week to address 13 vulnerabilities in Flash Player libraries used by Internet Explorer 10, Internet Explorer 11 and Edge. According to reports, the vulnerabilities were not under active exploitation at the time of patch release.


    • 19 July

      Citadel banking-trojan hacker sentenced to 5 years

      Russian hacker Mark Vartanyan was sentenced to 5 years in a US prison after pleading guilty to charges of computer fraud related to his involvement in developing and distributing the banking-trojan known as Citadel. The trojan, which was first seen in 2011 and infected millions over the years, was said to have caused over $500 million in damages for businesses.

    • 20 July

      AlphaBay, Hansa darknet marketplaces shut down

      Major international coordinated law enforcement operations have resulted in the shutdown of the AlphaBay and Hansa dark web marketplaces, which had gain notoriety for being major sources of online illegal goods such as firearms, drugs and pornography.

      The alleged administrator of the AlphaBay site was arrested in Thailand as part of the operations, though news reports indicated that he later took his own life while in his jail cell.

    • 21 July

      Hacker pleads guilty to Deutsche Telekom router hijacking

      A British hacker known as 'Spiderman' pleaded guilty to carrying out a cyber attack on Deutsche Telekom's routers last year that disrupted service for almost 1.2 million of the German telco's users.

      According to news reports, the hacker had been commissioned by an unnamed Liberian telecommunications company to create a botnet to be used for attacking a rival company. The inclusion of Deutsche Telekom's routers had apparently been unintentional and the hacker only learned of its effects from media reports.

    • 5 June

      NSA contractor charged with leaking Russian hacking report

      US federal authorities announced their arrest of National Security Agency (NSA) contractor Reality Leigh Winner on charges of removing classified materials from a government facility and sending it to a news outlet. The announcement was made shortly before The Intercept news site published an article based on an anonymously leaked NSA report regarding hacking attacks against the US elections voting machinery.

    • 9 June

      China: Gang arrested for selling Apple user's data

      Law enforcment authorities in China reported the detention of 22 individuals in the country on charges of illegally obtaining the data of Apple users, apparently for sale in China. According to reports, 20 of the detained individuals worked for a domestic Apple 'sales and outsourcing company'; there has been no confirmation about whether the data belonged to Apple users in China or elsewhere.

    • 10 Apr

      Kelihos botnet shutdown, author arrested

      The US Department of Justice announced a push to take down the notorious Kelihos botnet, in part by blocking the malicious domains associated with the botnet. As part of a coordinated effort, Russian national Peter Levashov (who is accused of being the botnet's mastermind) was arrested by local authorities during a holiday in Spain.

      The Kelihos botnet has been active since at least 2010, and during its heyday was used in a wide range of nefarious activities: it stole login details and other confidential data from infected machines, installed malware, and distributed spam, among other mischief.  

    • 21 Apr

      UK jails teen for creating DDoS attack service

      The United Kingdom handed down a 2-year prison term to Adam Mudd, who pleaded guilty to creating and operating the 'Titanium Stresser' distributed denial-of-service (DDoS) attack service. According to news reports, the service was used to launch disruptive attacks on such major sites as Microsoft and Xbox Live.

      Mudd was reportedly 16 when he created the attack service; the now 20-year old is the latest in a series of investigations and arrests by law enforcement authorities targeting such DDoS attack services.

    • 24 Apr

      US: 27-year prison sentence for Russian carder

      The US has handed down the longest-ever sentence for hacking to Russian national Roman Seleznev, after finding him guilty of compromising point-of-sale (POS) systems to steal credit card data.

      Seleznev, who is the son of a prominent Russian parliamentary member, was sentenced to 27 years in prison on 38 charges, including wire fraud and aggravated identity theft. The extraordinary length of the sentence was said to be a considerred a 'deterrent', as prosecutors argued that in addition to causing some '$169 million in damage' to businesses in the US, Seleznev has been instrumental in establishing and growing an industry around collecting and selling stolen credit card data.

    • 9 Feb

      NSA contractor indicted for data theft

      Former US National Security Agency (NSA) contractor Harold Thomas Martin has been formally indicted for the theft of classified government information. Martin was accused of secretly stockpiling highly sensitive data over the period of 1996 to 2016, and keeping the material in his house or car. Of particular note were materials related to the tools used by NSA to infiltrate computer systems in other nations, though prosecutors have not accused the defendant of being involved in recent incidents where such information was publicly leaked online. Prosecutors have also not attributed a motive for Martin's actions.

    • 23 Feb

      UK: Deutsche Telekom hack suspect arrested

      Britian's National Crime Agency (NCA) has arrested a suspect at Luton Airport in connection with the 2016 botnet-related cyber attack that reportedly infected roughly 900,000 routers belonging to customers of Germany's Deutsche Telekom service.

Product Security

    • 18 July

      Google: New security measure against unverified apps risk

      Google announced it would be introducing a new security measure that would notify Android users when they use a new web app that is either unverified or still pending verification. The notification screens shown to the user before they can use the app would include a warning, a permissions consent screen and additional steps they would need to take if they still want to use the app.

      The introduction of the new security feature is said to be a response to a phishing app scam that was discovered in May this year, when an app exploiting the Google Doc name and branding was found to be phishing user data. The scam reportedly affected at least 1 million Gmail users.

    • 19 July

      Apple: iOS 10.3.3 update patches multiple security issues

      Apple has released an update for its iOS, macOS, and WatchOS operating systems, which addresses dozens of exploitable security vulnerabilities. The patch include fixes for multiple flaws in the Webkit browser engine which could be exploited for remote code execution. Users are urged to apply the relevant update for their devices at the earliest opportunity.

    • 9 June

      Report: Windows firewall bypass technique using Intel's AMT

      Microsoft published their analysis of a technique reportedly used by a hacking group based in Southeast Asia that successfully subverts legitimate Windows management tools to evade endpoint monitoring software.

      The PLATINUM group was reportedly able to abuse Intel's Active Management Technology (AMT) in such a way that they could send files to compromised machines without triggering the built-in Windows firewall. This technique does require AMT to be enabled before it is effective and according to the writeup, is not undetectable, as Windows Defender is able to distinguish between legitimate and malicious uses of AMT.

    • 15 Apr

      Microsoft quietly fixed flaws revealed in Shadow Brokers NSA dump

      Shortly after the news broke that hacking group Shadow Brokers had released documents allegedly from the NSA containing exploits for Windows products, Microsoft announced that most of the flaws targeted by the exploits had already been addressed in prior security updates. Three flaws still unpatched reportedly do not affect the most recent supported Windows systems, though older, unsupported systems may still be exposed.

    • 19 Apr

      Oracle releases 299-flaw patch, fixes flaw revealed in Shadow Brokers leak

      Oracle has released a monster security patch that addresses almost 300 vulnerabilities across the company's product lines.

      Of particular note among the fixes is the flaw in Apache Struts framework, which has been under active attack since its revelation in early March, and CVE-2017-3622, a vulnerability in Solaris 10 and 113 which was first publicly revealed in the dump of NSA-related content by hacking group Shadow Brokers.

      Users and administrators of affected products are urged to apply the patch as soon as possible.

    • 19 Apr

      Microsoft moving from passwords to Authenticator app

      Microsoft issued an update to its Authenticator mobile app intended to simplify how users access their Microsoft accounts. With the update, users can now simply tap a button displayed in the app when they are logging into their accounts, rather than remembering a password or having to use an app-generated one-time PIN.

      According to reports, Microsoft aims to move away from passwords and towards a more app-based authentication method it believes would be more user-friendly, as it removes the need to deal with passwords, as well as being more secure since attackers would require physical possession of the registered mobile device.

    • 7 Mar

      Apple: Many 'Vault 7' flaws already fixed

      Following WikiLeak's 'Vault 7' release of documents allegedly describing CIA hacking tools, Apple released a statement saying that many of the exploits revealed in the material had already been addressed in the latest updates for their iOS system. The company also said that they are working to 'rapidly address' the rest.

      The leaked documents contained details of exploits that targeted mobile operating systems from both Apple and Google, though thus far only Apple has issued a statement addressing the revelations.

    • 14 Mar

      Patch Tuesday fixes 134 flaws

      Following an unexpected pause in its patch release cycle last month, Microsoft pushed out a monster update in this month's Patch Tuesday release, with 18 patches (9 of them marked Critical) to address 134 vulnerabilities. Users are, as usual, urged to apply the patches at their earliest convenience.

    • 23 Mar

      Instagram adds 2-factor authentication

      Popular image-sharing site Instagram has introduced 2-factor authentication in a move to improve security for its users. The measure is aimed at protecting users against having their accounts compromised if an attacker manages to steal their login credentials (most commonly through phishing attacks or password reuse), and requires a six-digit code sent to the user's device each time they want to log into the service.

    • 27 Mar

      Google acts against Symantec 'mis-issued' certs

      Google announced that its Chrome web browser will be reducing the level of trust it assigns to certificates issued by Symantec, which are used by hundreds of thousands of websites to authenticate their encrypted connections. The announcement follows reports that Symantec, which reportedly serves as a Certificate Authority (CA) for almost 30% of all sites on the Internet as of 2015, had issued the coveted certificates to some 30,000 sites without properly verifying the recipients, thereby undermining the value and usefulness of the issued certificates.

      The latest move would have Chrome reducing the amount of time that the affected certificates are considered 'trusted', as well as requiring that the sites using such certificates replace them with newer, trusted ones. For its part, Symantec has called Google's claims 'exaggerated and misleading'. Website owners who use Symantec-issued certificates would in the meantime have to take steps to ensure that Chrome-using visitors would still be able to access their site as normal.

    • 31 Mar

      Microsoft: No patch for flaw in EOL'ed Windows Server

      Microsoft has confirmed it will not issue a patch for a zero-day vulnerability in IIS 6 on Windows Server 2003 R2, which has not been supported since 2010. The CVE-2017-7269 flaw could allow an attacker to remotely run code on a vulnerable machine, and had reportedly already been actively exploited in-the-wild last year.

      The confirmation from Redmond follows the release of a proof-of-concept (POC) exploit code by security researchers, which has lead to concerns that malware authors would integrate the POC into their own attack code. According to reports, some 600,000 servers are sill using IIS 6 today, with many of them based in China and the US.

    • 13 Jan

      Whatsapp vs The Guardian: It's not a 'backdoor', it's a 'feature'

      An article published in The Guardian caused concern among security researchers over claims that the popular mobile messaging app Whatsapp contained what it called a 'backdoor'. The article reported on the contentions of an independent security researcher that the way the app handles changes in a user's encryption key amounted to a 'retransmission vulnerability' that could allow an attacker to intercept and read encrypted messages.

      Whatsapp has refuted the claim, arguing that the issue was in fact a deliberate design choice that balanced performance and usability to provide security without disrupting the user experience suitable to the less tech-savvy profile of its user base. Security researchers also disagreed with the characterization of the issue as either a 'backdoor' or a 'vulnerability', and issued an open letter to The Guardian calling for the retraction of the article.

    • 19 Jan

      $40K payout for critical ImageMagick bug bounty report

      A security researcher discovered a way to circumvent the patch that the Facebook security team had used to fix the critical remote code execution vulnerability in the opensource ImageMagik photo-editing tool that was reported last May. The researcher subsequently reported his discovery to Facebook, who quickly closed the hole, and rewarded the researcher with a $40,000 payout under their bug bounty program, the biggest payment they've made to date.


Items listed in the Calendar were reported in various technology news portals, security research publications, law enforcement sites, major newspapers and our own F-Secure Weblog.

See our Threat Reports for previous editions of the Incidents Calendar.