Connect with us

Cyber Security

Johnson will defy US and allow use of Huawei, says top security adviser



Chinese firm poised to help build UKs 5G phone network despite warnings about spying

Boris Johnson is likely to approve the use of Huawei technology in the UKs new 5G network against the pleas of the US government, a former national security adviser has said.

Sir Mark Lyall Grant, who was Theresa Mays national security adviser, said that the security services had repeatedly concluded over several years that they were able to mitigate any potential threats posed by the Chinese technology.

The US has warned the British government it would be madness to use Huawei technology and senior Washington officials have said numerous times that the Trump administration would reassess intelligence sharing with the UK in light of such a move.

However, UK security figures dispute the claim and Britain has already used some Huawei technology in previous mobile networks. A final decision is expected later this month.

Lyall Grant told the Observer: This has been gone into now by three different administrations, and I think the outcome is quite likely to be the same that the intelligence agencies are expressing confidence that they can sufficiently mitigate any potential security threat to allow Huawei to continue to provide at least the non-core telecommunications equipment for 5G rollout. The government has developed an oversight mechanism which they are confident will work.

Combine that with the fact that Huawei has more advanced technology than the alternatives, I think it is relatively likely that Boris Johnson will come to the same conclusion.

Two of Britains biggest telecoms companies, BT and Vodafone, are understood to be drafting a letter to Johnson, setting out their support for Huaweis involvement in 5G.

Last night, a senior Huawei executive, Victor Zhang, said there was simply no justification for banning the company on cyber security grounds.

After looking at the facts, we hope the government agrees so that our customers can keep the UKs 5G roll-out on track and meet the prime ministers promise of gigabit connectivity for all, he said.

Giving Huawei the go-ahead to continue supplying equipment will mean telecoms companies have access to the best technology and the breadth of suppliers they need to build secure, resilient and reliable networks.

The dispute was a sign that Britain would be repeatedly asked to take a side in disputes between the US and China, Lyall Grant added. The interesting thing about Huawei is that it is the first, but by no means the only issue on which the risk is over the next decade, we are going to be pressured to choose, he said. And that is a choice that on some issues the UK government is not going to want to make.

Read more:

Cyber Security

Phishers using strong tactics and poor bait in Office 365 scam



An uptick in
phishing attempts using a fake and badly created Office 365 credentials update
form is taking place, according to a new Cofense report.

Not only is
the form, which is linked to in the email, riddled with typos and
capitalization errors, but it is actually a Google Forms fdocs form. Something
Microsoft is unlikely to use under any circumstances.

The Cofense
Phishing Defense Center found the malicious actors did go to great lengths in
some respects to make their scam appear legitimate. The email itself originates
from a real company, the financial services provider CIM Finance, and they used
the CIM Finance website to host the emails to help bypass basic email security

additional elusive step is to use Google so the doc has an authentic SSL
certificate so the recipients will believe they are being linked to a Microsoft
page. However, the URL links to an external Google page.

The email
claims to be from the IT corporate team and states the person’s Office 365
account has expired and unless the individual clicks the link and updates the
account it will be suspended.

At this
point all the professionalism employed by the attackers disappears.

clicking the link, the end user is presented with a substandard imitation of
the Microsoft Office365 login page, as seen in figure 3, that does not follow
Microsoft’s visual protocol. Half the words are capitalized, and letters are
replaced with asterisks; examples include the word ‘email’ and the word
‘password.’ In addition, when end users type their credentials, they appear in
plain text as opposed to asterisks, raising a red flag the login page is not
real,” Cofense said.

Since this
is a Google doc, once the information is entered it becomes available to the
docs’ creator.


Continue Reading

Cyber Security

Campaign staffer’s husband arrested for DDoSing former Rep. Katie Hill’s opponent



The husband of a campaign staffer for former Rep. Katie Hill, D-CA., was arrested by the FBI for allegedly launching four DDoS attacks against the former congresswoman’s primary opponent.

Arthur Dam
was arrested on February 21 by FBI agents and charged with one count of
intentionally damaging and attempting to damage a protected computer. In the criminal
filed in the Central District of California, the FBI claimed the
Dam conducted the attacks while his wife, who was not named, worked on Hill’s
campaign staff.

complaint did not name the victim, but it did indicate the candidate was male
and according to Ballotpedia
the only male running in the California’s 25th District Democratic primary was
Brian Caforio. He lost his primary bid by just under 3,000 votes.

The attacks
took place between April and May 2018 with the site being down for a total of
21 hours, the FBI said in a release,
with the victim claiming $27,000 to $30,000 in damages incurred in repairing
the damage, buying extra security and lost donations.

“The attack
on or about April 28, 2018, occurred just before the start of a live political
debate, which featured the Victim and his two opponents. This attack shut down
the Victim’s website and it remained offline throughout the debate,” the criminal
complaint stated.

The attacks were conducted using an AWS account that the FBI said was controlled by Dam. Agents discovered that each attack was proceeded by logins to the AWS account from Dam’s home or office and cookies from the account were found on Dam’s iPhone. The attacks were associated with URLs spoofing USA Today, Google, and Engadget web pages.

Dam has a cybersecurity background with the complaint stating he runs DDoS attacks as part of his job as a pen tester.

The FBI did not claim that either Hill or Dam’s wife were involved in the incidents.

Hill, who won her seat by defeating incumbent Stephen Knight in 2018, resigned from Congress in October 2019 after admitting she had engaged in an inappropriate relationship with a staffer before being elected to Congress, The Hill reported.


Continue Reading

Cyber Security

Zyxel Fixes 0day in Network Storage Devices



Patch comes amid active exploitation by ransomware gangs

Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.

Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.

KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.

A snippet from the documentation provided by 500mhz for the Zyxel 0day.

Holden said the seller of the exploit code — a ne’er-do-well who goes by the nickname “500mhz” –is known for being reliable and thorough in his sales of 0day exploits (a.k.a. “zero-days,” these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).

For example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate thousands of vulnerable devices.

500mhz’s profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.

“In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,” his Russian-language profile reads.

The profile page of 500mhz, translated from Russian to English via Google Chrome.


KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the U.S. Department of Homeland Security (DHS) and with the CERT Coordination Center (CERT/CC), a partnership between DHS and Carnegie Mellon University.

Less than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.

“Thanks for flagging,” Zyxel’s team wrote on Feb. 17. “We’ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we’re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.”

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

“Considering how stupid this exploit is, I’m guessing this is not the only one of its class in their products,” he said.

CERT’s advisory on the flaw rates it at a “10” — its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.


Holden said recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Specifically, Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

Holden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it’s not clear whether the Emotet gang paid anywhere near that amount for access to the code. Still, he said, ransomware gangs could easily earn back their investment by successfully compromising a single target with this simple but highly reliable exploit.

“From the attacker’s standpoint simple is better,” he said. “The commercial value of this exploit was set at $20,000, but that’s not much when you consider a ransomware gang could easily make that money back and then some in a short period of time.”

Emotet’s nascent forays into IoT come amid other disturbing developments for the prolific exploitation platform. Earlier this month, security researchers noted that Emotet now has the capability to spread in a worm-like fashion via Wi-Fi networks.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”


This experience was a good reminder that vulnerability reporting and remediation often can be a frustrating process. Twelve days turnaround is fairly quick as these things go, although probably not quick enough for customers using products affected by zero-day vulnerabilities.

It can be tempting when one is not getting any response from a vendor to simply publish an alert detailing one’s findings, and the pressure to do so certainly increases when there is a zero-day flaw involved. KrebsOnSecurity ultimately opted not to do that for three reasons.

Firstly, at the time there was no evidence that the flaws were being actively exploited, and because the vendor had assured DHS and CERT-CC that it would soon have a patch available.

Perhaps most importantly, public disclosure of an unpatched flaw could well have made a bad situation worse, without offering affected users much in the way of information about how to protect their systems.

Many hardware and software vendors include a link from their home pages to /security.txt, which is a proposed standard for allowing security researchers to quickly identify the points of contact at vendors when seeking to report security vulnerabilities. But even vendors who haven’t yet adopted this standard (Zyxel has not) usually will respond to reports at security@[vendordomainhere]; indeed, Zyxel encourages researchers to forward any such reports to

On the subject of full disclosure, I should note that while this author is listed by Hold Security’s site as an advisor, KrebsOnSecurity has never sought nor received remuneration of any kind in connection with this role.

Tags: 0day, 500mhz, alex holden, CERT Coordination Center, CERT/CC, CVE-2020-9054, DHS, Emotet, Hold Security, ransomware, zero day, ZyXEL Communications Corp.


Continue Reading