Security information February 20, 2020

[German]Here' a collectiong of security topics that have come to my attention in the last hours and that I do not put into separate blog posts. It's about ransomware, malicious Android apps etc.


Travelex: Still issues after Ransomware infection

An example of the consequences of ransomware infection is Travelex. The Travelex Group is a foreign exchange company founded by Lloyd Dorfman and based in London. Its main business areas include international payments, exchange offices and the issuing of prepaid credit cards for travellers, as well as global transfers.

In January 2020 it became public, that the IT systems of the Travelex Group were infected with ransomware. Security researcher Kevin Beaumont points out in the above tweet that Travelex is still having problems with its systems seven weeks after the infection.

Amazon Ring: Videos not very helpful for the police

Owners of a Ring Door Bell camera from Amazon have in the USA the option of forwarding the surveillance video of the front door to the police. This should help solve the crime. I had mentioned that in a German blog post in November 2019 (US-Polizei kann auf Amazon Ring-Videos zugreifen). Now I read at, that the whole operation was useless. Hundreds of US police stations had signed a contract with Amazon, which allows access to the surveillance video recordings. Amazon had the idea of promoting its Ring Door Bell surveillance camera to house and apartment owners via the security track and the police.

But the analysis of video footage probably did not lead to a single arrest. The realization also comes at a time when the number of crimes is declining. So no promotion for Amazon. Details can be found in the English language article.


Regarding the ring hacks, the Amazon subsidiary now forces all users to use two-factor authentication, as Bleeping Computer reports here.

25 Fleeceware Android apps found

Security researchers have found 25 Android apps in the Google Play Store, with a total of 600 million users. These apps contained so-called fleeceware features. Fleeceware is a term, introduced in September 2019, for a scam on apps from the Google Play Store. It refers to Android apps that offer free trial use. After the trial period has expired, subscription fees will be charged when using the app – that's legal.

Fleeceware apps, however, charge users' accounts even though they have not extended the trial period. The trick: Users must manually cancel this subscription before the trial period expires. However, since many people simply uninstall the app after the trial period, the trial converts into a paid subscription even though the app is no longer used. Normally, app developers have to make sure that when an app is uninstalled, the subscription is also cancelled. 

Android Fleeceware-Apps
(Android Fleeceware-Apps, Source: Sophos)

Sophos described the scam in more detail in this blog post. ZDnet has also addressed it in this post

Security researchers have found 24 Android apps created by developers of the Chinese company Shenzhen Hawk Internet Co. The apps have a total of 382 million downloads and require excessive and dangerous permissions from users during installation. Details can be found via this Tweet.

49 Android apps with malware target German users

The MobOk Android malware has just been found in 49 smaller apps for Android in the Google Play Store, as the following tweet indicates.

The French website Evina published this article with details. The MobOK malware asks when installing permissions. If these permissions are granted, the malware gains access to the SMS messages. MobOk now collects information about the device that is useful for its fraudulent activities. This includes, for example, the relevant operator details and the screen size of the mobile device. It then launches an invisible browser that aims to rip off the user via the respective mobile phone operator with premium subscriptions for mobile phone services.

Ransomware infection in Redcar & Cleveland (England)

The British municipalities of Redcar and Cleveland have been offline since the weekend. This is not due to the storm that has swept over Great Britain. Ransomware seems to have paralyzed the IT systems of the municipalities.

The linked article from a British medium indicates that the systems are searched for ransomware.

Cyber attack on Maastricht University long unnoticed

The University (UM) of the Dutch city of Maastricht was the victim of a ransomware attack in 2019 (see Ransomware infects Maastricht University). In December 2019 all computer systems had to be shut down. In early February 2020, the university published a report on the findings of the cyber attack. According to this German article, however, the attack already began on 15-16 October 2019, when two phishing emails were opened. 

The attacker worked his way through several vulnerabilities until December 23, 2019 to gain full access to the university's digital infrastructure with several hundred servers and encrypted them using ransomware. The university paid for the decryption on December 30, 2019 (Reuters reports 30 Bitcoin, approx. 200,000 euros).

Another short information: Recently the EECS department of Queen Mary University in London was infected by the Ryuk ransomware. But there seem to be no public reports. I received the information via Twitter.  Currently, only on this page you can find information, 'Due to the recent major incident with the RYUK Ransomware attack at the School of SEMS, we have DISABLED access to unmanaged devices using the SMB/CIFS protocol to the networks shares on the staff login-server '', which points out the incident.

Extract TeamViewer credentials from the registry

In TeamViewer vulnerability CVE-2019-18988 allows to read the credentials from the Windows registry and then decrypt them. The following tweet points this out.

The background is that TeamViewer stores the credentials in encrypted form (AES-128-CBC) in the Windows registry. Details can be found in the linked articles.

Software error reveals ID of 1.26 million Danes

A software error resulted in the disclosure of the identification numbers of 1.26 million people in Denmark.

Security hodgepodge

And here are some links to various news from the security environment, which are already a little older.

  • In this tweet, security researcher Brian Krebs informs that the domain is for sale. The domain is dangerous because years of testing show that anyone who works with it has access to an infinite stream of passwords, Email/proprietary data from hundreds of 1,000 systems.
  • Most VPN companies do not really care about the privacy of their users. They have trackers on their website and in apps, use Google Analytics, and spend millions of dollars on monitoring that you constantly track. Some of us want to do better. The makers of IVPnet want to do better, as they write in this thread.
  • Attackers have infected three global manufacturing companies with the Lemon Duck malware by targeting their IoT devices running Windows 7. Details can be found on this tweet.
  • In February, MikroTik patched a path issue (CVE-2020-5720) that this user found in WinBox 3.20 (see also).
  • According to a study by ImmuniWeb, 97 of the 100 largest airports in the world have security risks regarding web and mobile applications, misconfigured public clouds or repository leaks, source is Trend Micro Germany.
  • According to report at ZDNet, half of the medical devices are vulnerable to attacks via the BlueKeep vulnerability. 
  • An operator of a US gas pipeline was attacked by ransomware, according to the latest ZDNet article here
  • The AZORult malware gets onto the victims' machines via fake ProtonVPN installers, as can be read on Bleeping Computer.
  • Windows users in Italy are the target of a Dharma ransomware spam campaign, as you can read at Bleeping Computer.

The only thing you can really do for security reasons is to turn your stuff off or keep all devices offline.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *