AttackWise cyber security round-up 2 February 2019

//AttackWise cyber security round-up 2 February 2019

In the news

  • Apple revoked Google’s enterprise certificate used for signing Google internal iOS apps. The action was taken in response to Google using the certificate to sign a “research” application targeted at the public. The certificate revocation had a direct impact of disabling Google’s internal iOS apps. Reportedly the app had previously been effectively banned for collecting to much data on users.
  • Apple has disabled Group Facetime after the discovery that it could be exploited to allow eavesdropping. The New York Attorney General has launched an investigation on Apple’s response to the issue.
  • The US unveiled its criminal case against Huawei, alleging the Chinese company stole trade secrets and violated Iran sanctions. Huawei is the largest telecoms equipment provider in the world.

In the wild

  • It appears ‘orphaned’ DNS nameserver records are being used to hijack domain names. The attack is impacting companies from Autodesk to Walgreens. The attackers motivation… to get high reputation domains to then send spam!

Vulnerability alerts

  • Mozilla released a security updates for critical vulnerabilities in their Thunderbird email client and in the Firefox web browser.
  • US-CERT has released an alert for Exchange 2013 and newer being vulnerable to NTLM relay attack: “an attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges”

Other stuff

  • An eye opening article on how former NSA intelligence agents are legally being recruited by foreign governments to launch hacking operations.
  • An interesting description of a malware author replacing the legitimate Google update executable for their own malicious version and taking advantage of the legitimate scheduled tasks related to Google update. The malicious version is even signed, but potentially with a stolen or misused certificate.
  • FireEye has provided a detailed walk through of the attack lifecycle used by APT39, an Iranian cyber espionage group.

UK industry events