News & Updates

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      DNS Hijacking targets Brazilian financial institutions
·      Unsecured AWS S3 Bucket exposed sensitive data on 31,000 GoDaddy servers
·      Apple zero-day exposes macOS to Synthetic Mouse-Click attacks
·      Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack
·      Oracle warns of CVE-2018-3110 Critical Vulnerability in Oracle Database product, patch it now!
·      Google tracks users movements even if they have disabled the Location History on devices
·      ICS-CERT warns of critical flaws in NetComm industrial routers
·      Key Reuse opens to attacks on IPsec IKE, Cisco, Huawei, ZyXEL products are affected
·      Adobe August 2018 Patch Tuesday addresses 11 vulnerabilities in its products
·      August 2018 Microsoft Patch Tuesday fixes two flaws exploited in attacks in the wild
·      Foreshadow Attacks – experts found 3 new Intel CPU side-channel flaws
·      Hundreds of Instagram accounts were hijacked in a coordinated attack
·      Cyber Defense Magazine – August 2018 has arrived. Enjoy it!
·      PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections
·      Piping botnet: Researchers warns of possible cyberattacks against urban water services
·      SAP Security Notes August 2018, watch out for SQL Injection
·      An Australian schoolboy hacked into Apple Servers and stole 90GB of secure files
·      Black Hat 2018 – Expert demonstrated a new PHP code execution attack
·      Cosmos Bank – Hackers stole Rs 94 crore ($13.5 million) in just in 2 days
·      CVE-2018-14023 – Recovering expired messages from Signal
·      Linux Kernel Project rolled out security updates to fix two DoS vulnerabilities
·      2.6 billion records exposed in 2,308 disclosed data breaches in H1
·      Marap modular downloader opens the doors to further attacks


window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 176 – News of the week appeared first on Security Affairs.

Source: Security affairs

Monitor-IO is a $100 IoT gadget that tells you whether your Internet is working well, poorly, or not at all. The idea is you put this little black box next to (and plugged directly into) your router, and a quick glance at its color-coded screen will let you know if the Internet’s working solidly, if it’s having some problems, or if everything is just plain out. Monitor-IO even promises to tell users granular details like how long a connection has been up, or sketchy, or out.

All of this raises the question: do you need a gadget for that?

Read 17 remaining paragraphs | Comments


The North Korea-linked Dark Hotel APT group is leveraging the recently patched CVE-2018-8373 vulnerability in the VBScript engine in attacks in the wild.

The vulnerability affects Internet Explorer 9, 10 and 11, it was first disclosed last month by Trend Micro and affected all supported versions of Windows.

The flaw could be exploited by remote attackers to take control of the vulnerable systems by tricking victims into viewing a specially crafted website through Internet Explorer. The attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the security advisory published by Microsoft.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The analysis of the exploit code for the CVE-2018-8373 revealed it shared the obfuscation technique implemented for another exploit triggering the CVE-2018-8174 flaw.

The CVE-2018-8174 was first discovered by experts at Chinese security company Qihoo 360 and it was fixed in May by Microsoft.

The similarities in the exploits suggest that were developed by the same threat actor.

“We found this exploit using heuristics, which led to a more in-depth analysis. Interestingly, we found that this exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution vulnerability patched back in May” wrote Trend Micro.

“We suspect that this exploit sample came from the same creator. Our analysis revealed that it used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine.”


A similar theory was proposed by experts from Qihoo that collected evidence that linked the use of the CVE-2018-8373 exploit to Dark Hotel.

The experts discovered that domain name embedded in Office documents in latest attacks is the same used to download Double Kill exploit code in previous attacks linked to the North Korea-linked APT group.

“The 360 Threat Intelligence Center first obtained the IOC address after Trend Micro coding through the big data analysis association:


Associated homologous 0day attack sample” states Qihoo

“And found an attack time and trend technology found in the wild “double kill” 0day attack on the same day suspected of using the 0day attack of the office document sample, the domain name embedded in the Offce document sample and the domain name format given by Trend Micro (http ://windows-updater[.]net/stack/ov[.]php?w= 1x00who =1)”


In the analysis published in May by Qihoo 360 the researchers associated the CVE-2018-8373 exploit with Dark Hotel based on TTPs associated with the threat actor (e.g. the decryption algorithm that malware used is identical to Dark Hotel’s one).
Experts speculated that the CVE-2018-8373 was used in a cyber espionage campaign aimed at China.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs – Dark Hotel, APT)

The post North Korea-linked Dark Hotel APT leverages CVE-2018-8373 exploit appeared first on Security Affairs.

Source: Security affairs

Samuel Axon

I’ve been a musician for the past 20 years, but I’ve been an electronic musician for a lot less than that. I use Apple’s Logic Pro and a variety of software synthesizers to record songs these days, but coming from an electric guitar, I’ve missed the natural expressiveness that comes from playing a traditional instrument—particularly a stringed one.

Yes, you can create amazing expressive sounds with software, but there’s just something about having that direct connection from your fingers to the amp or speakers that can’t be replicated.

Read 30 remaining paragraphs | Comments


Enlarge / Workhorse’s electric helicopter looks less like a traditional helicopter and more like an oversized drone. (credit: John Timmer)

I wasn’t sure entirely what I expected an electric helicopter to look like, but what I found waiting for me at New York’s Flatiron Plaza wasn’t it. It’s not because it didn’t look like a helicopter; to an extent, it did. It just looked more like a grossly oversized drone with seats.

Workhorse, the company that makes the helicopter, wasn’t giving anyone rides in the hardware, which is still undergoing FAA testing. But company CEO Steve Burns was there to talk about the ‘copter, which is being called the SureFly. And, for good measure, he also showed off an electric pickup truck, which went by the less dramatic monicker W-15.

If pickup trucks and helicopters seem largely unrelated, it’s only because they’re at opposite extremes of the company’s business interests. Workhorse is currently building electric delivery vans and testing one with a drone-based delivery system integrated into the van roof. (During our conversation, Burns mused about the prospect of using a drone to deliver burgers from a nearby Shake Shack to a 25th-floor balcony on one of the buildings that overlooked the plaza.) So both are in keeping with the company’s interests.

Read 9 remaining paragraphs | Comments


Enlarge / A foraging bee. (credit: Nunzio_Zotti / Flickr)

We need bees to pollinate the plants that feed us. And bees need us to stop inadvertently poisoning them with the insecticides we use to keep those plants healthy. Unfortunately, just as we start to make progress on reducing the worldwide use of neonicotinoids (a class of insecticides that are toxic to bees), it seems like we might be at risk of rolling out an alternative insecticide that causes similar problems.

“Sulfoximine-based insecticides are the most likely successor [to neonicotinoids]” write the University of London’s Harry Siviter and his colleagues in a paper published in Nature this week. And that’s not great, as they found that bumblebee colonies exposed to a sulfoximine-based insecticide called sulfoxaflor suffered severe effects compared to a control colony. The insecticide didn’t kill the bees, but it damaged their ability to run a successful colony—a similar effect to neonicotinoids.


When insecticides are sprayed on crops, they settle not just on the crops themselves but also nearby wildflowers. Crops grown from insecticide-treated seeds also result in contaminated dust, soil, and pollen. This all exposes foraging bumblebees to the insecticide and also means that contaminated pollen and nectar make their way back to the bee colony, where larvae are exposed.

Read 7 remaining paragraphs | Comments


Security experts have observed increasing cyber espionage activity related to China’s Belt and Road Initiative (BRI).

The alarm was launched by the experts from cybersecurity firms FireEye and Recorded Future.

China’s Belt and Road Initiative (BRI) is a development project for the building of an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe, and Africa.

For this reason, the project is considered strategic for almost any intelligence Agency.

FireEye defined it as a “driver of regional cyber threat activity”, experts warn of a spike in espionage operations aimed at gathering info in the project.

Cyber spies are already targeting organizations from various sectors that are involved in the project.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” reads a report published by FireEye.

FireEye uncovered an espionage campaign carried out by the China-linked APT group dubbed Roaming Tiger.

The Roaming Tiger campaign was discovered by experts at ESET in 2014, in December 2015 experts uncovered a cyber espionage campaign aimed at Russian organizations.

The APT group targeted entities in Belarus using specially crafted documents that referenced the Chinese infrastructure project as a bait.

FireEye observed the use of several malicious codes against organizations involved in the BRI project.

Chinese hackers used the TOYSNAKE backdoor to target several European foreign ministries. According to FireEye, another malware tracked as BANECHANT was used to target Maldives, a strategic center for financial investments related to BRI, meanwhile the LITRECOLA malware was used in attacks against Cambodia and the SAFERSING malware was involved in campaigns against international NGOs.

Experts also mentioned the recent attacks powered by the TEMP.Periscope group on the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

Researchers at Recorded Future also reported several attacks originating from China, precisely from the Tsinghua University.

The hackers targeted Tibetan community and many governments and private sector organizations worldwide.

The attacks launched from the Tsinghua University targeted Mongolia, Kenya, and Brazil, that “are key investment destinations as part of China’s Belt and Road Initiative.”

“During the course of our research, we also observed the Tsinghua IP scan ports and probe government departments and commercial entities networks in Mongolia, Kenya, and Brazil. Each of these countries are key investment destinations as part of China’s Belt and Road Initiative.” states the report published by Recorded Future.

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,” 


The appendix in the PDF report published by Recorded Future includes a full list of the associated indicators of compromise.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs – China’s Belt and Road Initiative project, cyberespionage)

The post China’s Belt and Road project (BRI) is a driver of regional cyber threat activity appeared first on Security Affairs.

Source: Security affairs

Enlarge / The last remaining piece of a monster fatberg that was discovered in Whitechapel sewers last September. (credit: David Parry/PA Wire)

You can now feast your eyes on a festering chunk of solidified sewage as it ages, not-so-gracefully, inside a specially-designed isolation case that is being livestreamed from a museum in London.

Is there anything more 21st century than that?

The rancid refuse was chipped off an infamous sewer clog discovered in London late last year called the Whitechapel “Fatberg”—the preferred term for such muck monsters. The complete clog clocked in as an epic 250-meter-long, 130-metric ton mass of congealed excrement and waste, thought to be one of the largest—if not the largest—fatbergs ever identified. Authorities found it blocking a Victorian-era sewer line in the eastern Whitechapel area of the city. They spent nine long weeks in a subterranean war, hacking and blasting away the hardened blob of feces, fats, wet wipes, and various other detritus.

Read 16 remaining paragraphs | Comments


According to a report from cyber threat intelligence firm Risk Based Security some 2.6. billion data records have been exposed in data breached in the first half of 2018.

According to a new report titled “Mid-Year 2018 Data Breach QuickView” published by the cyber threat intelligence company Risk Based Security some 2.6. billion data records have been exposed in the first half of 2018.

This amazing figure is the result of 2,308 publicly disclosed data breaches, anyway, it represents a drop from 6 billion data records exposed in 2,439 breaches reported for the first half of 2017.

Five breaches exposed more than 100 million records each, the biggest data breach reported this year was the one suffered by India’s biometric database Aadhaar that exposed1.19 billion records.

“2018 has been a curious year. After the wild ride of 2017, we became accustomed to seeing a lot of breaches, exposing extraordinary amounts of information. 2018 is remarkable in that the number of public disclosed breaches appears to be leveling off while the number of records exposed remains stubbornly high,” declared Inga Goddijn, Executive Vice President for Risk Based Security.

“It’s not easy to characterize 2.6 billion records exposed as an improvement, even if it is less than the 6 billion exposed at this time last year.”

data breaches

The most affected sector is the business one (40%), followed by healthcare (8.3%), government (8.2%), and education (4.5%). 40% of the organizations were not classified in the report, a not negligible percentage.

Experts observed a significant drop in the number of data breaches in the first quarter, but the in the second quarter the number of incidents returned to a more “normal” pace.

The most popular attack method to harvest credentials remains phishing, stolen credentials are used to gain access to systems or services in successive attacks.

Looking at the breach types, the highest share of records is related to hacking (54.6%) followed by fraud (47.5%).

The number of vulnerabilities reported this year on pace has overtaken the previous year, in many cases the root cause for the data breaches was the exploitation of this flaws in unpatched systems.

The data breach landscape was influenced by the introduction of the GDPR in May, under the European Regulation the affected companies were obliged to disclose the incident within 72 hours.

“There are a lot of moving parts to an effective information security program and certainly patch management is one of the trickier components to tackle. That said, tried and true social engineering techniques combined with the ability to take advantage of unpatched weaknesses are some of the most effective tools malicious actors can use. That means defending against activities like phishing and solid vulnerability management go hand in hand when it comes to stopping hackers.” added Ms Goddijn. 

“While we expect hacking to remain the leading cause of data loss, we can’t lose sight of the damage that can come from accidental exposure. Misconfigured services, exposed S3 buckets and even improper email handling have led to more than their fair share of recent breaches. This type of data loss is easily prevented and protecting against it is nearly entirely within the organization’s control. It shouldn’t be overlooked in the quest to prevent external attacks,”

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs – data breached, hacking)

The post 2.6 billion records exposed in 2,308 disclosed data breaches in H1 appeared first on Security Affairs.

Source: Security affairs

Enlarge / The boardgame for the book is better crowd? (credit: Charlie Theel)

Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at

Few moments linger in my brain like a particular scene in John Carpenter’s movie The Thing. In the cold of an Antarctic night, the group corners and confronts a mutated imitation of their pal Bennings, its eyes wide and mouth gaping. They give it the torch and burn it down. The moment is as unsettling as the film is iconic.

Carpenter’s work was an imaginative take on the novella Who Goes There? by John Campbell. As good as the transition to film was, we now have another interpretation—one made of cardboard and plastic. The new board game from Certifiable Studios means you too can now snuff out an insidious alien life form.

Read 17 remaining paragraphs | Comments