October 29, 2019 – HNN #239



In the news, Adobe database exposes 7.5 million Creative Cloud users, HP team fixes nasty site-owning remote execution bug, Fancy Bear continues to target sporting and anti-doping organizations, and much more!

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

October 29, 2019

  1. Adobe database exposes 7.5 million Creative Cloud users – ‘Discovered on October 19 by data hunter Bob Diachenko and security company Comparitech, the unsecured database contained the email addresses of nearly 7.5 million customers of Adobe’s Creative Cloud, and included the following data: Account creation date, Adobe products used, Subscription status, Member IDs and other subscriber information. While no passwords were disclosed, Attackers could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.
  2. PHP team fixes nasty site-owning remote execution bug – For the bug to work, the website also be running the Nginx web server, a vulnerable version of PHP and PHP-FPM. When calling a script, the PHP language failed to check that its path was correct. The researcher used this to manipulate a variable within PHP that developers use to configure it. The researcher explained: Using this technique, I was able to create a fake PHP_VALUE fcgi variable and then use a chain of carefully chosen config values to get code execution. The team fixed the bug in several point releases of PHP. Version 7.1 users should download PHP 7.1.33. Version 7.2 users need PHP 7.2.24, while version 7.3 users should opt for 7.3.11. As with all security releases, the PHP team urged users of the latest full release to upgrade to the latest point version.
  3. Major vulnerability patched in the EU’s eIDAS authentication system | ZDNet – A listener wrote in a while back and informed us of this system in reference to passwordless authentication: eIDAS stands for electronic IDentification, Authentication and trust Services. It is a very complex, cryptographically-secured electronic system for managing electronic transactions and digital signatures between EU member states, citizens, and businesses. The EU created eIDAS in 2014 to allow member state governments, citizens, and businesses to carry out cross-border electronic transactions that can be verified against official databases in any country, regardless of the origin state of the transaction. It is an amazing system, but like all software and systems its bound to have vulnerabilities: SEC Consult researchers said they found that current versions of the eIDAS-Node package fail to validate certificates used in eIDAS operations, allowing attackers to fake the certificate of any other eIDAS citizen or business. To carry out the attack, a threat actor only needs to initiate a malicious connection to an eIDAS-Node server of any member state, and supply forged certificates during the initial authentication process. Fixes are on the way as are more details about the attack.
  4. Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer – Linux kernel dev Greg Kroah-Hartman reckons Intel…hyper-threading should be disabled for security due to MDS (Microarchitectural Data Sampling) bugs. He added: “MDS is where one program can read another program’s data. That’s a bad thing when you are running in a shared environment such as cloud computing, even between browser tabs. “You can cross virtual machine boundaries with a lot of this. MDS exploits the fact that CPUs are hyper-threaded, with multiple cores on the same die that share caches. When you share caches, you can detect what the other CPU core was doing.” Open BSD was right, he said. “A year ago they said disable hyper-threading, there’s going to be lots of problems here. They chose security over performance at an earlier stage than anyone else. Disable hyperthreading. That’s the only way you can solve some of these issues. We are slowing down your workloads. Sorry.”
  5. Fancy Bear continues to target sporting and anti-doping organizations – “Today we’re sharing that the Microsoft Threat Intelligence Center has recently tracked significant cyberattacks originating from a group we call Strontium, also known as Fancy Bear/APT28, targeting anti-doping authorities and sporting organizations around the world.” reads the post published by Microsoft. “At least 16 national and international sporting and anti-doping organizations across three continents were targeted in these attacks which began September 16th, just before news reports about new potential action being taken by the World Anti-Doping Agency.” The attacks began on September 16, 2019, while the World Anti-Doping Agency was warning that Russia could face a ban from all major sports events over “discrepancies” in a lab database. According to Russian whistleblowers, the Russian Anti-Doping Agency (RUSADA) was enabling systemic doping in athletics After the revelations, the Russia team was suspended from participating in the 2018 Winter Olympics. Now the results of new investigations conducted by the WADA could jeopardize participation in the 2020 Tokio Olympic Games.
  6. ATTK of the Pwns: Trend Micro’s antivirus tools ‘will run malware if its filename is cmd.exe’ – Bug-hunter John “hyp3rlinx” Page took credit for uncovering CVE-2019-9491, an arbitrary code execution flaw in the security tool. In short, the Trend software can be tricked into executing any old piece of software under the sun, including malware, when it is scanned, provided the filename is cmd.exe or regedit.exe. No, really. “Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrarily.EXE files if a malware author happens to use the vulnerable naming convention of ‘cmd.exe’ or ‘regedit.exe'” hyp3rlinx explained on Saturday.
  7. Georgia hit by massive cyber-attack – A huge cyber-attack has knocked out more than 2,000 websites – as well as the national TV station – in the country of Georgia. Court websites containing case materials and personal data have also been attacked. In many cases, website home pages were replaced with an image of former President Mikheil Saakashvili, and the caption “I’ll be back”. The origin of the attack is not yet known.

Expert Commentary: Jason Wood, Paladin Security

Fancy Bear Targets Sporting, Anti-Doping Orgs As 2020 Olympics Loom


In the area of espionage, there is an acronym called MICE that is used to explain the reasons why someone might decide to spy on their country. This breaks down to Money, Ideology, Compromise (blackmail), and Ego. As I read Microsoft’s blog post yesterday about attacks on anti-doping organizations, ego seemed to stand out prominently. The Olympics has long been an event for countries to compete with each other and gain some level of bragging rights over each other. And there really isn’t any country that doesn’t take immense pride in the performance of their athletes. That pride can be bruised as well, and Microsoft’s report is an illustration of that.

Yesterday Microsoft released a blog post stating that Fancy Bear (aka APT28, aka Strontium, aka Sofacy) has been busy attacking sporting and anti-doping organizations over the last couple of months. A number of Russian athletes were banned from the 2016 Summer Olympics due to the use of performance-enhancing drugs and practices. Then in 2018, the entire Russian Olympic Committee was banned from the Winter Olympics. Russian athletes who tested as clear of performance-enhancing drugs were allowed to compete under a neutral flag, but no one was allowed to compete under the Russian flag. The Russian government and people were outraged and their national pride was injured.

Fancy Bear is alleged to have acted in response to this by attacking organizations associated with this decision and releasing confidential information, causing destructive attacks on the Winter Olympics, and generally causing havoc. As we start to approach the 2020 Olympics, the activity is starting to pick back up again. Microsoft states that “16 national and international sporting and anti-doping organizations across three continents” have come under attack in a campaign that started on September 16th. This date was just before the World Anti-Doping Agency (WADA) was to release a compliance report that called on Russia to explain inconsistencies in the data it provided to WADA or face the risk of not competing in the Olympics again. WADA gave Russia three weeks to explain the discrepancies that were described as data that has been deleted from Russia’s lab results.

Since that time, organizations associated with anti-doping efforts in sports have come under consistent attack. The attacks themselves are not novel or new. They tend to consist of password guessing, phishing emails, and general attacks against hosts on the internet. Microsoft did say that they had observed “open-source and custom malware” as part of this activity.

The information here is still thin on what is going on and I was not able to find a response from Russia to Microsoft’s report. Microsoft only says that the attacks are “are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world.” Russia has responded to the request for an explanation from WADA and WADA’s decision on it is not known at this point.

So why would an attacker group become active again in with this initial finding by WADA? I think national pride (or ego) is a good partial explanation. The 2018 Olympic ban infuriated Russians. So this activity could begin again to retaliate against organizations that the group feels is wronging them yet again. There is part of being human that likes the idea of retribution. There is also the possibility of sending a message in these attacks. By going after the ant-doping agencies and sporting groups, it gives them a warning. The implication is to let Russia compete again or suffer the consequences.

To me, it is interesting to see how nations are developing their use of cyberattacks in international politics and relations. In the past, you would see protests at the UN, economic sanctions, or even threats of military action. Now the world has added another element to the possible responses. And one with some deniability, because it is not easy to prove the source of a computer attack back to a country. And even if you do, what is everyone willing to do in response? Will countries accept that proof or look the other way? It’s all part of how countries interact with one another and these attacks appear to be another example of how they can play out.


Jason Wood
Jason Wood – Founder; Primary Consultant
Paul Asadoorian
Paul Asadoorian – Founder & CTO



  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand