Two new attacks allow alteration of certified PDF documents

Researchers from Ruhr-University Bochum have disclosed two new attack techniques, dubbed Evil Annotation and Sneaky Signature attacks, on certified PDF documents that could potentially allow attackers to modify visible content without invalidating their digital signature. The attacks leverage the flexibility of PDF certification that allows signing or adding annotations to certified documents under different permission levels. The experts presented the results of the study at the 42nd IEEE Symposium on Security and Privacy.

(Security Affairs)

US says agencies fended off latest Russian hack involving four new malware families

The White House says it believes U.S. government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives APT29, also known as Nobelium, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month’s planned presidential summit. In this case, the group gained access to an email marketing account of the U.S. Agency for International Development (USAID) and targeted about 3,000 email accounts at more than 150 different organizations. Microsoft states that four new malware families were used in the attack, an HTML attachment named ‘EnvyScout’, a downloader known as ‘BoomBox,’ a loader known as ‘NativeZone’, and a shellcode downloader and launcher named ‘VaporRage.’

(Security Week and Bleeping Computer)

New Epsilon Red ransomware hunts unpatched Microsoft Exchange servers

Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a U.S. company in the hospitality sector. The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange servers. Andrew Brandt, principal researcher at Sophos, says that the attackers may have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network.

(Bleeping Computer)

Lawsuit reveals Google made it nearly impossible for users to keep their locations private

Newly unredacted documents in a lawsuit against Google reveal that the company’s own executives and engineers knew just how difficult the company had made it for smartphone users to keep their location data private. Google continued collecting location data even when users turned off various location-sharing settings, and even pressured LG and other phone makers into hiding these settings. The documents are part of a lawsuit brought against Google by the Arizona Attorney General’s office last year.

(Business Insider)

Thanks to our episode sponsor, ReversingLabs

Recent supply chain attacks and executive orders have left 1000’s scrambling for guidance. Join ReversingLabs as they take their exclusive supply chain roadshow to your local region virtually. Hear from app sec specialists and security execs, as they discuss lessons learned, and innovative approaches, that will move your supply chain security and compliance program forward. For more information, visit reversinglabs.com.

US soldiers expose nuclear weapons secrets via flashcard apps

Flashcard learning apps, used by US soldiers tasked with the custody of nuclear weapons in Europe have inadvertently revealed not just the bases, but even identified the exact shelters with “hot” vaults that likely contain nuclear weapons as well as intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have. Some of these have been findable since 2013. All were taken down after the researchers at Bellingcat contacted NATO and the US military.

(Bellingcat)

Boss of ATM skimming syndicate arrested in Mexico

Florian “The Shark” Tudor, the alleged ringleader of a prolific ATM skimming gang that siphoned hundreds of millions of dollars from bank accounts of tourists visiting Mexico over the last eight years, was arrested in Mexico City on Thursday in response to an extradition warrant from a Romanian court. Tudor, a native of Romania, set up Top Life Servicios, an ATM servicing company which managed a fleet of relatively new ATMs based in Mexico branded as Intacash, a company that bribed or coerced ATM technicians to install Bluetooth-based skimmers inside cash machines located in tourist destinations in and around the Yucatan Peninsula. The full story of this campaign and takedown is available at KrebsOnSecurity.

(KrebsOnSecurity)

Microsoft Edge 91 release marred with bugs

Following Microsoft’s release of Microsoft Edge 91 last Friday, users have been reporting numerous problems including a nag screen continuously shown on startup, asking users if they want to “Use recommended browser settings.” For some users, if they close the dialog or specify not to update the browser settings, the nag screen continues to show when they restart the browser. Users have also reported on other forums, Edge is no longer honoring their configured startup page and is opening the New Tab page instead.

(Bleeping Computer

Cheese-loving drug dealer gets fingered when private chat gets seized

Carl Stewart, a Liverpool area drug dealer, was identified and arrested after he shared an image of some cheese he had obtained at a UK supermarket. Last year, the 39-year-old had shared a photo of his hand holding a package of Stilton cheese, on Encrochat, an encrypted messaging service that has was closed down by the police in July last year as part of a Europol investigation of the channel as a conduit for of organized crime. His palm and fingerprints were analyzed from this picture. He pled guilty to conspiracy to supply cocaine, heroin, MDMA, and ketamine, as well as the charge of transferring criminal property.

(ZDNet)