{"id":12940,"date":"2020-02-01T15:30:28","date_gmt":"2020-02-01T14:30:28","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12940"},"modified":"2020-09-15T23:02:03","modified_gmt":"2020-09-15T21:02:03","slug":"sicherheitsinformationen-31-januar-2020","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/02\/01\/sicherheitsinformationen-31-januar-2020\/","title":{"rendered":"Security information (January 31, 2020)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/31\/sicherheitsinformationen-31-januar-2020\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]To conclude the month of January 2020, here is some information on security issues that have come to my attention in the last few hours. <\/p>\n<p><!--more--><\/p>\n<h2>NEC hacked in 2016 <\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg05.met.vgwort.de\/na\/0052b4090a274a21ae0f6a53843a00b6\" width=\"1\" height=\"1\">The Japanese manufacturer NEC (electronics and IT) was hacked in 2016 and data was pulled. Hackers stole 27,445 files from the defense division. The hack has only now been <a href=\"https:\/\/jpn.nec.com\/press\/202001\/20200131_01.html\" target=\"_blank\" rel=\"noopener noreferrer\">made public<\/a>. <\/p>\n<blockquote>\n<p>NEC confirms that some of the internal servers used by the company's defense division are subject to unauthorized third-party access. Based on investigations by the company and external professional organizations, no damage such as information leaks have been confirmed to date.<\/p>\n<p>July 2018, we succeeded in decrypting the encrypted communication with an infected server and an external server that was carrying out unauthorized communication, and storing it on our internal server for information exchange with other departments of our Defense division. It was discovered that 27,445 files were accessed illegally.<\/p>\n<\/blockquote>\n<p>Bleeping Computer addressed this issues within the following tweet. The tweet shows outlines from the NEC press release.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">NEC confirmed defense business division security breach in a press release issued today. <\/p>\n<p>\u2022 Network initially infiltrated after December 2016<br \/>\u2022 Unauthorized communication detected and blocked in June 2017<br \/>\u2022 Encrypted communication with external servers decrypted in July 2018 <a href=\"https:\/\/t.co\/S9Wdj1TH17\">pic.twitter.com\/S9Wdj1TH17<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1223041476101394435?ref_src=twsrc%5Etfw\">January 31, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>Catalin Cimpanu has published also an article on ZDnet.com, as he writes in the following tweet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">In a press conference today, Japan's defense minister says NEC is second of four defense companies that have been hacked between 2016 and 2018.<\/p>\n<p>The first was Mitsubishi Electric &#8212; breach disclosed last week.<\/p>\n<p>The last two have not been named yet.<\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1223214587153088512?ref_src=twsrc%5Etfw\">January 31, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<h2>Hong Kong universities infected with malware<\/h2>\n<p>According to the subsequent tweet from Bleeping Computer, Hong Kong universities have been infected with malware. The infection is said to have been caused by the malware Winnti.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Winnti Group Infected Hong Kong Universities With Malware &#8211; by <a href=\"https:\/\/twitter.com\/serghei?ref_src=twsrc%5Etfw\">@serghei<\/a><a href=\"https:\/\/t.co\/gkCRY2IMiK\">https:\/\/t.co\/gkCRY2IMiK<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1223297746871910400?ref_src=twsrc%5Etfw\">January 31, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>The attacks were discovered in November 2019, after the security company's Augur machine learning engine detected malware samples from ShadowPad Launcher on several devices at the two universities, following the discovery of Winnti malware infections two weeks earlier, in October.<\/p>\n<p>These attacks were very targeted as the Winnti malware and the multi-modular ShadowPad backdoor contained both command and control URLs as well as campaign identifiers associated with the names of the affected universities.<\/p>\n<h2>Magento has a RCE vulnerability<\/h2>\n<p>The eCommerce shop software Magento has a remote code execution vulnerability up to versions 1.9.4.3\/1.14.4.3\/2.2.10\/2.3.3, as the following tweet reports:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Magento up to 1.9.4.3\/1.14.4.3\/2.2.10\/2.3.3 Deserialization Remote Code Execution <a href=\"https:\/\/t.co\/2178vtaObr\">https:\/\/t.co\/2178vtaObr<\/a> <a href=\"https:\/\/t.co\/Mzf1pPb0Nr\">pic.twitter.com\/Mzf1pPb0Nr<\/a><\/p>\n<p>\u2014 Digitalmunition (@maher275) <a href=\"https:\/\/twitter.com\/maher275\/status\/1222889620364505094?ref_src=twsrc%5Etfw\">January 30, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<h2>Microsoft Azure was vulnerable to attack via vulnerability<\/h2>\n<p>Cyber security researchers at Check Point have revealed details of two recently patched, potentially dangerous vulnerabilities in Microsoft Azure services. These would have allowed attackers to target several companies running their web and mobile applications on Azure. The Hacker News has compiled details in <a href=\"https:\/\/thehackernews.com\/2020\/01\/microsoft-azure-vulnerabilities.html\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>.&nbsp; <\/p>\n<h2>New attack method via Excel<\/h2>\n<p>Microsoft has discovered a new attack vector in the analysis of the TA505 phishing campaign that takes advantage of Excel files.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload. In contrast, past Dudear email campaigns carried the malware as attachment or used malicious URLs. <a href=\"https:\/\/t.co\/mcRyEBUmQH\">pic.twitter.com\/mcRyEBUmQH<\/a><\/p>\n<p>\u2014 Microsoft Security Intelligence (@MsftSecIntel) <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1222995256540454912?ref_src=twsrc%5Etfw\">January 30, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>Blog reader 1ST1 referred to this fact in <a href=\"https:\/\/www.borncity.com\/blog\/diskussion-allgemeines\/#comment-84140\" target=\"_blank\" rel=\"noopener noreferrer\">this comment<\/a> and linked to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-detects-new-evil-corp-malware-attacks-after-short-break\/\" target=\"_blank\" rel=\"noopener noreferrer\">the article by Bleeping Computer<\/a>.<\/p>\n<h2>Trickbot uses UAC bypass trick<\/h2>\n<p>The Malware Trickbot uses a new trick to bypass user account control and gain admin rights. Bleeping Computer points out the topic in the following tweet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Just two weeks after adding the fodhelper.exe Windows 10 UAC bypass, TrickBot has started using the Wsreset.exe UAC bypass instead.<\/p>\n<p>Constantly evolving and keeping all of you on your toes!<\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1222992754646691842?ref_src=twsrc%5Etfw\">January 30, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>There are some German blog posts on the topic of UAC bypassing (see the article list at the end of the post). <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">[local] Microsoft Windows &#8211; Multiple UAC Protection Bypasses <a href=\"https:\/\/t.co\/rSXvOEvkWR\">https:\/\/t.co\/rSXvOEvkWR<\/a><\/p>\n<p>\u2014 Nicolas Krassas (@Dinosn) <a href=\"https:\/\/twitter.com\/Dinosn\/status\/1203926333186826240?ref_src=twsrc%5Etfw\">December 9, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>Nicolas Krassas refers in the link above to an article with information about UAC bypassing. <\/p>\n<blockquote>\n<p>About Active Directory Dumping by Trickbot I would like to point out <a href=\"https:\/\/web.archive.org\/web\/20200309134441\/https:\/\/identityaccessdotmanagement.files.wordpress.com\/2020\/01\/attcking-ad-for-fun-and-profit-1.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">this PDF document<\/a>.&nbsp; <\/p>\n<\/blockquote>\n<h2>Does Amazon track its Kindle users?<\/h2>\n<p>A few hours ago I came across a weird tweet. Adrianne Jeffries requested the data on his devices from Amazon.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Amazon appears to be tracking every tap on Kindle. I just got my data back and there are 90K rows of this <a href=\"https:\/\/t.co\/wVCSXCTVwv\">pic.twitter.com\/wVCSXCTVwv<\/a><\/p>\n<p>\u2014 Adrianne Jeffries (@adrjeffries) <a href=\"https:\/\/twitter.com\/adrjeffries\/status\/1222277544730337280?ref_src=twsrc%5Etfw\">January 28, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>She has the impression that on her Kindle every tap on the screen is recorded. <\/p>\n<p><strong>Similar articles (German):<\/strong><br \/><a href=\"https:\/\/www.borncity.com\/blog\/2017\/05\/24\/windows10-neue-uac-bypassing-methode-fodhelper-exe\/\" target=\"_blank\" rel=\"noopener noreferrer\">Windows10: Neue UAC-Bypassing-Methode (fodhelper.exe)<\/a><br \/><a href=\"https:\/\/www.borncity.com\/blog\/2019\/07\/04\/windows-uac-ber-silentcleanup-ausgehebelt\/\" target=\"_blank\" rel=\"noopener noreferrer\">Windows UAC \u00fcber SilentCleanup ausgehebelt<\/a><br \/><a href=\"https:\/\/www.borncity.com\/blog\/2017\/02\/10\/erebus-ransomware-und-die-ausgetrickste-uac\/\" target=\"_blank\" rel=\"noopener noreferrer\">Erebus Ransomware und die ausgetrickste UAC<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]To conclude the month of January 2020, here is some information on security issues that have come to my attention in the last few hours.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-12940","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12940"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12940\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}