[German]To conclude the month of January 2020, here is some information on security issues that have come to my attention in the last few hours.
Advertising
NEC hacked in 2016
The Japanese manufacturer NEC (electronics and IT) was hacked in 2016 and data was pulled. Hackers stole 27,445 files from the defense division. The hack has only now been made public.
NEC confirms that some of the internal servers used by the company's defense division are subject to unauthorized third-party access. Based on investigations by the company and external professional organizations, no damage such as information leaks have been confirmed to date.
July 2018, we succeeded in decrypting the encrypted communication with an infected server and an external server that was carrying out unauthorized communication, and storing it on our internal server for information exchange with other departments of our Defense division. It was discovered that 27,445 files were accessed illegally.
Bleeping Computer addressed this issues within the following tweet. The tweet shows outlines from the NEC press release.
NEC confirmed defense business division security breach in a press release issued today.
• Network initially infiltrated after December 2016
• Unauthorized communication detected and blocked in June 2017
• Encrypted communication with external servers decrypted in July 2018 pic.twitter.com/S9Wdj1TH17— BleepingComputer (@BleepinComputer) January 31, 2020
Catalin Cimpanu has published also an article on ZDnet.com, as he writes in the following tweet.
In a press conference today, Japan's defense minister says NEC is second of four defense companies that have been hacked between 2016 and 2018.
The first was Mitsubishi Electric — breach disclosed last week.
The last two have not been named yet.
— Catalin Cimpanu (@campuscodi) January 31, 2020
Advertising
Hong Kong universities infected with malware
According to the subsequent tweet from Bleeping Computer, Hong Kong universities have been infected with malware. The infection is said to have been caused by the malware Winnti.
Winnti Group Infected Hong Kong Universities With Malware – by @sergheihttps://t.co/gkCRY2IMiK
— BleepingComputer (@BleepinComputer) January 31, 2020
The attacks were discovered in November 2019, after the security company's Augur machine learning engine detected malware samples from ShadowPad Launcher on several devices at the two universities, following the discovery of Winnti malware infections two weeks earlier, in October.
These attacks were very targeted as the Winnti malware and the multi-modular ShadowPad backdoor contained both command and control URLs as well as campaign identifiers associated with the names of the affected universities.
Magento has a RCE vulnerability
The eCommerce shop software Magento has a remote code execution vulnerability up to versions 1.9.4.3/1.14.4.3/2.2.10/2.3.3, as the following tweet reports:
Magento up to 1.9.4.3/1.14.4.3/2.2.10/2.3.3 Deserialization Remote Code Execution https://t.co/2178vtaObr pic.twitter.com/Mzf1pPb0Nr
— Digitalmunition (@maher275) January 30, 2020
Microsoft Azure was vulnerable to attack via vulnerability
Cyber security researchers at Check Point have revealed details of two recently patched, potentially dangerous vulnerabilities in Microsoft Azure services. These would have allowed attackers to target several companies running their web and mobile applications on Azure. The Hacker News has compiled details in this article.
New attack method via Excel
Microsoft has discovered a new attack vector in the analysis of the TA505 phishing campaign that takes advantage of Excel files.
The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload. In contrast, past Dudear email campaigns carried the malware as attachment or used malicious URLs. pic.twitter.com/mcRyEBUmQH
— Microsoft Security Intelligence (@MsftSecIntel) January 30, 2020
Blog reader 1ST1 referred to this fact in this comment and linked to the article by Bleeping Computer.
Trickbot uses UAC bypass trick
The Malware Trickbot uses a new trick to bypass user account control and gain admin rights. Bleeping Computer points out the topic in the following tweet.
Just two weeks after adding the fodhelper.exe Windows 10 UAC bypass, TrickBot has started using the Wsreset.exe UAC bypass instead.
Constantly evolving and keeping all of you on your toes!
— BleepingComputer (@BleepinComputer) January 30, 2020
There are some German blog posts on the topic of UAC bypassing (see the article list at the end of the post).
[local] Microsoft Windows – Multiple UAC Protection Bypasses https://t.co/rSXvOEvkWR
— Nicolas Krassas (@Dinosn) December 9, 2019
Nicolas Krassas refers in the link above to an article with information about UAC bypassing.
About Active Directory Dumping by Trickbot I would like to point out this PDF document.
Does Amazon track its Kindle users?
A few hours ago I came across a weird tweet. Adrianne Jeffries requested the data on his devices from Amazon.
Amazon appears to be tracking every tap on Kindle. I just got my data back and there are 90K rows of this pic.twitter.com/wVCSXCTVwv
— Adrianne Jeffries (@adrjeffries) January 28, 2020
She has the impression that on her Kindle every tap on the screen is recorded.
Similar articles (German):
Windows10: Neue UAC-Bypassing-Methode (fodhelper.exe)
Windows UAC über SilentCleanup ausgehebelt
Erebus Ransomware und die ausgetrickste UAC
