Information Technology

Microsoft has published today its monthly batch of security updates, also known as Patch Tuesday. This month, the OS maker patched 129 vulnerabilities across 15 products, ranging from Windows to ASP.NET.
Of note is that this month, of the 129 vulnerabilities, 32 were classified as remote code execution issues, which are bugs that permit attackers to exploit vulnerable applications remotely, over a network.
Of these 32, 20 also received a severity classification of “critical,” the highest rating on Microsoft’s scale, making the 20 vulnerabilities some of the most important bugs patched across Microsoft products this month.The list of 20 critical RCEs includes bugs in:
All of the vulnerabilities listed above are serious issues, and especially the ones impacting Windows (due to the huge attack surface) and SharePoint and Dynamics 365 (as these systems are often installed on large enterprise networks).
Malware authors are known to follow Microsoft’s monthly security updates, select the most useful/dangerous bugs, and patch-diff the updated components to find the exact bug Microsoft fixed — so they can weaponize it for future attacks.
System administrators are advised to review the threat posed by each of the RCE vulnerabilities listed above, and then decide if this month’s security updates need to be applied right away or delayed for additional testing.
Below is additional information about today’s Microsoft Patch Tuesday and security updates released by other major tech companies:
Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has published this file listing all this month’s security advisories on one single page.
Adobe’s security updates are detailed here.
SAP security updates are available here.
Intel security updates are available here.
VMWare security updates are available here.
Chrome 85 security updates are detailed here.
The Android Security Bulletin for September 2020 will also be out later today, delayed due to the Labor Day extended weekend.
Tag
CVE ID
CVE Title
Active Directory
CVE-2020-0761
Active Directory Remote Code Execution Vulnerability
Active Directory
CVE-2020-0856
Active Directory Information Disclosure Vulnerability
Active Directory
CVE-2020-0718
Active Directory Remote Code Execution Vulnerability
Active Directory
CVE-2020-0664
Active Directory Information Disclosure Vulnerability
Active Directory Federation Services
CVE-2020-0837
ADFS Spoofing Vulnerability
ASP.NET
CVE-2020-1045
Microsoft ASP.NET Core Security Feature Bypass Vulnerability
Common Log File System Driver
CVE-2020-1115
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Internet Explorer
CVE-2020-1012
WinINet API Elevation of Privilege Vulnerability
Internet Explorer
CVE-2020-16884
Internet Explorer Browser Helper Object (BHO) Memory Corruption Vulnerability
Internet Explorer
CVE-2020-1506
Windows Start-Up Application Elevation of Privilege Vulnerability
Microsoft Browsers
CVE-2020-0878
Microsoft Browser Memory Corruption Vulnerability
Microsoft Dynamics
CVE-2020-16857
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics
CVE-2020-16858
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-16860
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics
CVE-2020-16859
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-16861
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-16872
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-16864
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-16878
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-16862
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics
CVE-2020-16871
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Microsoft Exchange Server
CVE-2020-16875
Microsoft Exchange Memory Corruption Vulnerability
Microsoft Graphics Component
CVE-2020-0921
Microsoft Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component
CVE-2020-0998
Windows Graphics Component Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-1091
Windows Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component
CVE-2020-1152
Windows Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-1097
Windows Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component
CVE-2020-1083
Microsoft Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component
CVE-2020-1053
DirectX Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-1308
DirectX Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-1245
Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-1285
GDI+ Remote Code Execution Vulnerability
Microsoft Graphics Component
CVE-2020-1256
Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component
CVE-2020-1250
Win32k Information Disclosure Vulnerability
Microsoft JET Database Engine
CVE-2020-1039
Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine
CVE-2020-1074
Jet Database Engine Remote Code Execution Vulnerability
Microsoft NTFS
CVE-2020-0838
NTFS Elevation of Privilege Vulnerability
Microsoft Office
CVE-2020-1594
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-1335
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-16855
Microsoft Office Information Disclosure Vulnerability
Microsoft Office
CVE-2020-1338
Microsoft Word Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-1332
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-1224
Microsoft Excel Information Disclosure Vulnerability
Microsoft Office
CVE-2020-1218
Microsoft Word Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-1193
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1345
Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint
CVE-2020-1205
Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint
CVE-2020-1210
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1514
Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint
CVE-2020-1595
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1523
Microsoft SharePoint Server Tampering Vulnerability
Microsoft Office SharePoint
CVE-2020-1440
Microsoft SharePoint Server Tampering Vulnerability
Microsoft Office SharePoint
CVE-2020-1200
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1482
Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint
CVE-2020-1198
Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint
CVE-2020-1227
Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint
CVE-2020-1576
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1452
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1575
Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint
CVE-2020-1453
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-1460
Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft OneDrive
CVE-2020-16853
OneDrive for Windows Elevation of Privilege Vulnerability
Microsoft OneDrive
CVE-2020-16851
OneDrive for Windows Elevation of Privilege Vulnerability
Microsoft OneDrive
CVE-2020-16852
OneDrive for Windows Elevation of Privilege Vulnerability
Microsoft Scripting Engine
CVE-2020-1057
Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine
CVE-2020-1180
Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine
CVE-2020-1172
Scripting Engine Memory Corruption Vulnerability
Microsoft Windows
CVE-2020-1596
TLS Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-1169
Windows Runtime Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1593
Windows Media Audio Decoder Remote Code Execution Vulnerability
Microsoft Windows
CVE-2020-1159
Windows Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1598
Windows UPnP Service Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0790
Microsoft splwow64 Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0922
Microsoft COM for Windows Remote Code Execution Vulnerability
Microsoft Windows
CVE-2020-0782
Windows Cryptographic Catalog Services Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0648
Windows RSoP Service Application Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0766
Microsoft Store Runtime Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1590
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1376
Windows Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1471
Windows CloudExperienceHost Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-16879
Projected Filesystem Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-1013
Group Policy Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1532
Windows InstallService Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1491
Windows Function Discovery Service Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1303
Windows Runtime Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1252
Windows Remote Code Execution Vulnerability
Microsoft Windows
CVE-2020-1559
Windows Storage Services Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1507
Microsoft COM for Windows Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1508
Windows Media Audio Decoder Remote Code Execution Vulnerability
Microsoft Windows
CVE-2020-0914
Windows State Repository Service Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-0886
Windows Storage Services Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0989
Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-0875
Microsoft splwow64 Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-0912
Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1038
Windows Routing Utilities Denial of Service
Microsoft Windows
CVE-2020-0908
Windows Text Service Module Remote Code Execution Vulnerability
Microsoft Windows
CVE-2020-1052
Windows Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0911
Windows Modules Installer Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0805
Projected Filesystem Security Feature Bypass Vulnerability
Microsoft Windows
CVE-2020-1119
Windows Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-1146
Microsoft Store Runtime Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-0951
Windows Defender Application Control Security Feature Bypass Vulnerability
Microsoft Windows
CVE-2020-1122
Windows Language Pack Installer Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-1098
Windows Shell Infrastructure Component Elevation of Privilege Vulnerability
Microsoft Windows Codecs Library
CVE-2020-1319
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows Codecs Library
CVE-2020-0997
Windows Camera Codec Pack Remote Code Execution Vulnerability
Microsoft Windows Codecs Library
CVE-2020-1129
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows DNS
CVE-2020-0839
Windows dnsrslvr.dll Elevation of Privilege Vulnerability
Microsoft Windows DNS
CVE-2020-1228
Windows DNS Denial of Service Vulnerability
Microsoft Windows DNS
CVE-2020-0836
Windows DNS Denial of Service Vulnerability
Open Source Software
CVE-2020-16873
Xamarin.Forms Spoofing Vulnerability
SQL Server
CVE-2020-1044
SQL Server Reporting Services Security Feature Bypass Vulnerability
Visual Studio
CVE-2020-16874
Visual Studio Remote Code Execution Vulnerability
Visual Studio
CVE-2020-16856
Visual Studio Remote Code Execution Vulnerability
Visual Studio
CVE-2020-16881
Visual Studio JSON Remote Code Execution Vulnerability
Windows DHCP Server
CVE-2020-1031
Windows DHCP Server Information Disclosure Vulnerability
Windows Diagnostic Hub
CVE-2020-1130
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
Windows Diagnostic Hub
CVE-2020-1133
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
Windows Hyper-V
CVE-2020-0904
Windows Hyper-V Denial of Service Vulnerability
Windows Hyper-V
CVE-2020-0890
Windows Hyper-V Denial of Service Vulnerability
Windows Kernel
CVE-2020-0941
Win32k Information Disclosure Vulnerability
Windows Kernel
CVE-2020-0928
Windows Kernel Information Disclosure Vulnerability
Windows Kernel
CVE-2020-16854
Windows Kernel Information Disclosure Vulnerability
Windows Kernel
CVE-2020-1034
Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel
CVE-2020-1033
Windows Kernel Information Disclosure Vulnerability
Windows Kernel
CVE-2020-1589
Windows Kernel Information Disclosure Vulnerability
Windows Kernel
CVE-2020-1592
Windows Kernel Information Disclosure Vulnerability
Windows Print Spooler Components
CVE-2020-1030
Windows Print Spooler Elevation of Privilege Vulnerability
Windows Shell
CVE-2020-0870
Shell infrastructure component Elevation of Privilege Vulnerability More

Image: NCI
Officials from the city of Hartford, Connecticut, were forced to postpone the first day of the new school calendar year after a ransomware infection impacted the city’s IT network.

According to a statement published by Hartford Public Schools, the school district serving the city of Hartford, the ransomware attack impacted several of the school’s internal IT systems, causing a prolonged outage.
IT staff have been working to restore services, but these were not completed in time for the first day of the new school year, scheduled for today, Sept. 8.
Following the COVID-19 pandemic, in-person schooling has been suspended since the spring. In the city of Hartford, today marked not only the first day of the new 2020 school year but also the first day of in-person attendance in months.
According to the district’s school re-opening plan, today, PreK-Grade 2, Grade 6, and Grade 9 students were supposed to have the first school classes in months.

Hartford Public Schools plan for in-person learning classes for school year 2020
But in a sudden and unexpected announcement earlier this morning, officials said they were forced to delay in-person attendance because the district’s IT system that communicates with the bus company that transports students to school was still down following the ransomware attack.
Since school bus routes couldn’t be configured and monitored, school officials decided to delay the first day of school to a later date.
Remote learning classes have also been suspended, Hartford Public Schools said in a message sent to parents, effectively suspending the start of the entire 2020 school year.
The district didn’t provide a timeline for the remediation of its IT systems and said it would notify parents when they’ll be able to start the new year. More

I remember a time when everyone wanted tips on how to make their computer run faster or keep attackers away from their data. Nowadays the devices have changed — it’s now smartphones — but the questions remain the same.

iPhones especially fall into this category. Maybe it’s because people keep iPhones for longer than Android devices, or maybe because they get more updates, so suffer from slow-down more. I’m not sure about the reason, but iPhone users wanting tips on making their devices run faster outweigh their Android counterparts about ten to one (which is startling given how many more Android users there are out there, and the vast range of hardware).
iPhone users are also concerned about bad guys getting their grubby hands on their data.
Must read: I wish my iPhone had this amazing and useful feature

So, here’s a simple tip that will help iPhone users kill two birds with a single stone and both speed up their device and help keep it more secure.
Reboot it every week. Yes, once a week. Set yourself a reminder.
Yup, it’s that simple.
Not only does this clean the systems RAM and get it ready to do more work, but it also helps protect against remote exploits by making it harder for hackers to keep control of your iPhone — hacks don’t survive reboots.
How do you reboot your iPhone?
Step 1: If you have Face ID, press and hold the side button and either volume button until the power off slider appears. Alternatively, if you have Touch ID, press and hold the top or side button until the power off slider appears.
Step 2: Slide the slider to the right.
Step 3: Wait until your device turns off and then restart it by pressing and holding the top or side button until the Apple logo appears.
Step 4: Enter your passcode to activate Face ID/Touch ID.
It takes a couple of minutes, and I find that it’s well worth doing, and have set a weekly alarm for Monday morning. More

Newcastle University has been hit by a cyberattack that it says will take weeks to fix – and while the institution hasn’t confirmed the nature of the incident, a ransomware gang is threatening online to leak the personal data of students.
The university first started reporting issues with IT systems on September 1, which has since lead to almost all university systems used by students and staff becoming restricted or unavailable in an effort to stop further disruption by the attack.

More on privacy

“It is essential that our IT estate is free from any malware and secure before we start the recovery process,” said an update by the university on September 2.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The type of malware that has infected the systems hasn’t been disclosed by the university, but cyber criminals have claimed responsibility for a ransomware attack against the university – and they’re threatening to release the personal data of students.
The DoppelPaymer ransomware gang has become known for demanding large Bitcoin ransoms from victims and has in the past posted personal data stolen from systems before they were encrypted in an effort to force victims into paying up. DoppelPaymer is thought to be an updated version of BitPaymer ransomware.
However, the university is yet to confirm if it has fallen victim to a ransomware attack, let alone the specifics of the ransomware family that has potentially compromised its systems. It has only said that “investigations are ongoing” into the cyberattack and that “many IT services are not operating”.
ZDNet has attempted to confirm the nature of the attack, but at the time of publication is yet to receive comment from the university.
In a FAQ about the incident published online, Newcastle says the nature of the problem means it’ll take “several weeks” for services to return to normal – something that could potentially disrupt the start of the new term for both staff and students. New students are due to arrive on 28 September, with existing students set to return after that.
In answer to the question “Is my personal data compromised?”, the FAQ says: “The investigation into the incident is still at an early stage. IT colleagues continue to work hard on the systems recovery plan, and to support the Police and the National Crime Agency with their enquiries.
“Please be assured we take the security of our systems extremely seriously and we were able to respond quickly to this incident.  This is now the subject of a Police investigation and our team in NUIT is working extremely hard with a number of agencies to address the issue,” the statement adds.
SEE: Cybersecurity: Four ways you can keep the hackers away
The incident has been reported to the Information Commissioner’s Office and the UK’s National Cyber Security Centre (NCSC) has also been informed.
“We are aware of an incident affecting Newcastle University and are providing support,” an NCSC spokesperson told ZDNet. “The NCSC works closely with the academic sector to improve its security practices and help protect academic establishments from threats.”
Ransomware continues to plague organisations around the world and it has become the quickest and easiest way for cyber criminals to make money from compromising entire networks. Crooks can potentially make millions from a single ransomware campaign and the nature of ransomware attacks means that they’re often difficult to trace back to the attackers, so cyber criminals don’t get caught.
MORE ON CYBERSECURITY More

Google has resolved an XSS vulnerability in Google Maps that was reported through the tech giant’s bug bounty program. 

Google’s Vulnerability Reward Programs (VRP) provides a platform for third-party researchers to disclose security issues in Google services and products privately, in return for a financial reward and credit. 
Head of Application Security at Wix Zohar Shachar said in a blog post describing the vulnerability that a cross-site scripting issue was present in how Google Maps handles export features. 
See also: Google’s bug bounty program just had a record-breaking year of payouts
After creating a map, the service allows this content to be exported in a variety of formats, one of which is KML, which uses a tag-based structure and is based on the XML standard. 
According to Shachar, this file format’s map name is contained in an open CDATA tag, and so the code is “not rendered by the browser.” However, by adding special characters such as “]] >,” it was possible to escape from the tag and add arbitrary XML content, leading to XSS. The researcher then reported his findings to Google. 

Note: there is a missing ‘ > ‘ in step three. 
Zohar Shachar
However, this wasn’t the end of the security problem. After Google sent Shachar a message saying the XSS flaw was resolved, the researcher checked by launching Google Maps, entering the same payload, and viewing the results. 
Shachar said that what he saw was “confusing,” as the fix just included adding a new CDATA tag to close the original tag. With two open CDATA tags, therefore, bypassing the fix would only take two closed CDATA tags. 
CNET: Phones for low-income users hacked before they’re turned on, research finds
“I was genuinely surprised the bypass was so simple,” the researcher noted. “I reported it so quickly (literally 10 minutes between checking my mailbox and reporting a bypass), that right after sending this mail I started doubting myself.”
Roughly two hours after sending a fresh query with his findings, the researcher was told the case was being reopened. 
The first XSS issue was reported to Google on April 23. By April 27, Google’s VRP team had accepted the vulnerability as legitimate, issuing the first fix and reward by June 7. The bypass of the original patch was reported on the same day, and after being resolved, the researcher received his second payout on June 18.
Each vulnerability earned Shachar $5,000, for a total reward of $10,000.
“Ever since this Google Maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off,” Shachar says. “I full-heartedly encourage you to do the same.”
TechRepublic: Farewell Flash Player: Microsoft tells businesses to get ready for the end of support
Google’s bug bounty program issued a record amount of payouts over 2019. Over the year, Google paid out $6.5 million in rewards for bug bounty disclosures, and the top payout was issued to Alpha Lab’s Guang Gong for a remote code execution exploit chain in the Pixel 3. The researcher was awarded $201,337. 
ZDNet has reached out to Google and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they’re using cryptographic code in an unsafe way.
Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019.
Researchers say the tool, which checked for 26 basic cryptography rules (see table below), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.
The top three most broken rules were:
Rule #18 – 1,775 apps – Don’t use an unsafe PRNG (pseudorandom number generator)
Rule #1 – 1,764 apps – Don’t use broken hash functions (SHA1, MD2, MD5, etc.)
Rule #4 – 1,076 apps – Don’t use the operation mode CBC (client/server scenarios)
These are basic rules that any cryptographer knows very well, but rules that some app developers might not be aware of without having studied app security (AppSec) or advanced cryptography prior to entering the app development space.

Image: Piccolboni et al.
Only 18 of 306 app developers replied to the research team
The Columbia University academics said that after they tested the apps, they also contacted all the developers of the 306 Android applications found to be vulnerable.
“All the apps are popular: they have from hundreds of thousands of downloads to more than 100 million,” the research team said. “Unfortunately, only 18 developers answered our first email of request and only 8 of them followed back with us multiple times providing useful feedback on our findings.”
While some crypto bugs were in an application’s code, some common bugs were also being introduced as part of Java libraries used as part of the apps.
The researchers say they also contacted the developers of 6 popular Android libraries, but just like before, they only received answers from 2 of them.
Since none of the developers fixed their apps and libraries, researchers refrained from publishing the names of the vulnerable apps and libraries, citing possible exploitation attempts against the apps’ users.
A complementary tool to CryptoGuard
All in all, the research team believes they’ve built a powerful tool that can be reliably used by Android developers as a complementary utility to CryptoGuard.
The two tools are complementary because CryptoGuard is a static analyzer (analyzes source code before being executed), while CRYLOGGER is a dynamic analysis tool (analyzes code while it’s being executed). Since the two work on different levels, academics believe both could be used to detect cryptography-related bus in Android apps before app code hits user devices.
Just like CryptoGuard, CRYLOGGER’s code is also available on GitHub.
Additional details about the team’s research are available in a pre-print named “CRYLOGGER: Detecting Crypto Misuses Dynamically,” set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021. More

Cyber-security agencies from France, Japan, and New Zealand have published security alerts over the past week warning about a large uptick in Emotet malware attacks targeting their respective countries.
Emotet activity described in the alerts refers to email spam campaigns that originated from Emotet infrastructure and targeted companies and government agencies in the three countries.
Victim organizations who received the emails, opened, and then ran the attached documents were at risk of getting infected with one of today’s most dangerous malware.
Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet that the Emotet botnet has been particularly active in recent weeks, and especially active in the three countries.
For example, Roosen said New Zealand had been heavily targeted by Emotet operators via emails originating from E3 (one of the three mini-botnets that make the larger Emotet infrastructure).
On the other hand, while E3 was busy spamming New Zealand, Roosen said that all three mini-Emotet botnets (E1, E2, and E3) were targeting Japan. According to CERT Japan, these Emotet spam waves led to a tripling of Emotet sightings tripled last week, causing experts to sound a sign of alarm.

Image: CERT Japan
But while Japan and New Zealand have been under heavy spam waves, things were lighter in France, where, Roosen said, Emotet spam waves haven’t been at the same levels as in the other two countries.
Nonetheless, Emotet infected computers on the network of the Paris court system, turning heads, making headlines, and triggering a state of emergency among French officials.
The French Interior Ministry reacted by blocking all Office documents (.doc) from being delivered via email, and France’s cyber-security agency ANSSI followed through with an official cyber-security alert on Monday, urging government agencies to pay attention to the emails they’re opening.

Conversations hijacking
According to all three alerts, the attacks appear to have been the same.
Emotet operators used their old trick of infecting one victim and then stealing older email threads. The group would then revive these old conversations, add malicious files as attachments, and target new users with a legitimate-looking conversation.
Users part of the conversations, or those added on, would often open the malicious files attachments added to the email thread out of curiosity and get infected.
In the recent campaigns that targeted France, Japan, and New Zealand, Emotet appears to have used Windows Word documents (.doc) and password-protected ZIP archive files as the malicious email attachments, attacks that have been seen targeting companies in other countries as well.
All three security alerts contain sound advice for anyone looking for ways to prevent or deal with Emotet infections, regardless of the country of origin.
At one point or another, Emotet will switch targeting and go after other countries, as the botnet can send out spam in multiple languages, according to cyber-security firm Proofpoint.
But the best Emotet advice ZDNet can give is in regards to systems that have been found to be already infected. In this case, companies should take down their entire networks and audit each system. This is because Emotet has features that allow it to spread laterally to the entire network, and Emotet is also often used to download other malware, including ransomware. Taking infected systems or the entire network offline while systems are scanned and re-imagined is the best way to avoid an even more costly security incident. More

BancoEstado, one of Chile’s three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend.
“Our branches will not be operational and will remain closed today,” the bank said in a statement published on its Twitter account on Monday.

Details about the attack have not been made public, but a source close to the investigation told ZDNet that the bank’s internal network was infected with the REvil (Sodinokibi) ransomware.
The incident is currently being investigated as having originated from a malicious Office document received and opened by an employee. The malicious Office file is believed to have installed a backdoor on the bank’s network.
Investigators believe that on the night between Friday and Saturday, hackers used this backdoor to access the bank’s network and install ransomware.
Bank employees working weekend shifts discovered the attack when they couldn’t access their work files on Saturday.
BancoEstado reported the incident to Chilean police, and on the same day, the Chilean government sent out a nationwide cyber-security alert warning about a ransomware campaign targeting the private sector.
While initially, the bank hoped to recover from the attack unnoticed, the damage was extensive, according to sources, with the ransomware encrypting the vast majority of internal servers and employee workstations.
The bank initially disclosed the attack on Sunday, but as time went by, bank officials realized employees wouldn’t be able to work on Monday, and decided to keep branches closed, while they recover.
Luckily, it appears the bank had done its job and properly segmented its internal network, which limited what the hackers could encrypt. The bank’s website, banking portal, mobile apps, and ATMs were untouched, according to multiple statements released by the bank, in order to reassure customers that their funds were safe.
The REvil ransomware gang is one of the few groups that operate a leak site, where it leaks files from networks it breaches, in case the victim doesn’t want to pay. At the time of writing, BancoEstado’s name is not on the leak site, suggesting the bank has either paid the ransom demand, or is still negotiating with the hackers.
This marks the second time hackers have targeted a Chilean bank. In June 2018, North Korean hackers deployed disk-wiping malware on the network of Banco de Chile, while attempting to hide a bank hack. A year later they also breached Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks, during an attempt to orchestrate an ATM cash-out scheme. More