⚠ Monday review – the hot 28 stories of the week ⚠

From the DNS outage that deleted users' Azure data to the Nest security cam hijacker, and everything in between. It's weekly roundup time.

📖 Read

via "Naked Security".

⚠ Selling fake likes and follows is illegal, rules New York ⚠

A groundbreaking settlement in New York finds that selling fake likes and followers is illegal.

📖 Read

via "Naked Security".

⚠ FBI burrowing into North Korea’s big bad botnet ⚠

The FBI revealed that it joined the Joanap botnet and started chewing it up from the inside.

📖 Read

via "Naked Security".

⚠ Chrome’s hidden lookalike detection feature battles URL imposters ⚠

Chrome now checks for misspellings of popular URLs and will display a link to the site that it thinks the user might have wanted to visit.

📖 Read

via "Naked Security".

⚠ Security weaknesses in 5G, 4G and 3G could expose users’ locations ⚠

Researchers have discovered security holes in 5G, 4G and 3G telephony protocols, which can expose a user's location.

📖 Read

via "Naked Security".

❌ SpeakUp Linux Backdoor Sets Up for Major Attack ❌

Armed with an impressive bag of exploits and other tricks for propagation, researchers believe the new trojan could be the catalyst for an upcoming, major cyber-offensive.

📖 Read

via "Threatpost | The first stop for security news".

🕴 IoT Security's Coming of Age Is Overdue 🕴

The unique threat landscape requires a novel security approach based on the latest advances in network and AI security.

📖 Read

via "Dark Reading: ".

❌ ‘Collection #1’ Data Dump Hacker Identified ❌

Despite several threat actors stating they are behind a massive 773M credential dump, researchers believe they have found the real distributor.

📖 Read

via "Threatpost | The first stop for security news".

🔐 3 ways state actors target businesses in cyber warfare, and how to protect yourself 🔐

State-sponsored groups are leveraging weaknesses in IoT devices to build botnets, and attacking private industry and public infrastructure in attacks, according to a Booz Allen report.

📖 Read

via "Security on TechRepublic".

🕴 Facebook Struggles in Privacy Class-Action Lawsuit 🕴

Facebook's privacy disclosures "are quite vague" and should have been made more prominent, a federal judge argued.

📖 Read

via "Dark Reading: ".

❌ Spy Campaign Spams Pro-Tibet Group With ExileRAT ❌

Referencing the Dalai Lama, the spam campaign is targeting recipients of a mailing list run by the Central Tibetan Administration.

📖 Read

via "Threatpost | The first stop for security news".

🕴 Researchers Devise New Method of Intrusion Deception for SDN 🕴

Team from University of Missouri take wraps off Dolus, a system 'defense using pretense' which they say will help defend software-defined networking (SDN) cloud infrastructure.

📖 Read

via "Dark Reading: ".

<b>&#9000; Crooks Continue to Exploit GoDaddy Hole &#9000;</b>

<code>Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.</code><code>Media</code><code>On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.</code><code>Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.</code><code>Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.</code><code>As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness.</code><code>“What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”</code><code>Media</code><code>A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security.</code><code>In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.</code><code>“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”</code><code>“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”</code><code>That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor…

🕴 6 Security Tips Before You Put a Digital Assistant to Work 🕴

If you absolutely have to have Amazon Alexa or Google Assistant in your home, heed the following advice.

📖 Read

via "Dark Reading: ".

ATENTION‼ New - CVE-2016-1000276

Audacity version 2.1.2 is vulnerable to DLL Hijack, it tries to load avformat-55.dll without supplying the absolute path, thus relying upon the presence of such DLL on the system directory. This behavior results in an exploitable DLL Hijack vulnerability, even if the SafeDllSerchMode flag is enabled.

📖 Read

via "National Vulnerability Database".

ATENTION‼ New - CVE-2016-1000271

Joomla extension DT Register version before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5) contains an SQL injection in "/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events". This attack appears to be exploitable if the attacker can reach the web server.

📖 Read

via "National Vulnerability Database".

🕴 New Botnet Shows Evolution of Tech and Criminal Culture 🕴

Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.

📖 Read

via "Dark Reading: ".

🕴 Exposed Consumer Data Skyrocketed 126% in 2018 🕴

The number of data breaches dropped overall, but the amount of sensitive records exposed jumped to 446.5 million last year, according to the ITRC.

📖 Read

via "Dark Reading: ".

⚠ Kids’ GPS watches are still a security ‘train wreck’ ⚠

Anyone could have accessed the entire database, including a child's location, on Gator watches and other models that share its back end.

📖 Read

via "Naked Security".

ATENTION‼ New - CVE-2017-18362

ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.

📖 Read

via "National Vulnerability Database".

⚠ Crypto exchange in limbo after founder dies with password ⚠

The only person who knew the password is dead, leaving customers unable to access around $190million in fiat and virtual currency.

📖 Read

via "Naked Security".